Assertion failure: hasCallObj(), at ../jit/BaselineFrame-inl.h:73 or Crash [@ callObj]

RESOLVED FIXED in mozilla27

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: decoder, Assigned: djvj)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla27
x86_64
Linux
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox24 unaffected, firefox25 unaffected, firefox26 unaffected, firefox27 affected, firefox-esr17 unaffected, firefox-esr24 unaffected)

Details

(Whiteboard: [jsbugmon:], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
The following testcase asserts on mozilla-central revision e85b0372cece (run with --fuzzing-safe --ion-eager):


function $ERROR() {}
function testMultipleArgumentsObjects() {
    var testargs = arguments;
    var f = function (which) {
        var args = [ testargs ];
        return args[which][0];
    };
    var arr = [0, 0, 0, 0, 1];
    for (var i = 0; i < arr.length; i++)
        $ERROR[i] = f(arr[i]);
}
testMultipleArgumentsObjects()
(Reporter)

Comment 1

4 years ago
Created attachment 810590 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Updated

4 years ago
Crash Signature: [@ callObj]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 2

4 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/cd646a300ffe
user:        Kannan Vijayan
date:        Mon Sep 23 10:50:30 2013 -0400
summary:     Bug 918405 - Enable OSR-ing into Ion in functions with needsArgsObj. r=h4writer

This iteration took 400.086 seconds to run.
Kannan, is bug 918405 a likely regressor?
Blocks: 918405
Flags: needinfo?(kvijayan)
Keywords: regression
status-firefox24: --- → unaffected
status-firefox25: --- → unaffected
status-firefox26: --- → unaffected
status-firefox27: --- → affected
status-firefox-esr17: --- → unaffected
status-firefox-esr24: --- → unaffected

Comment 4

4 years ago
Thanks!

Comment 5

4 years ago
Thanks!

Comment 6

4 years ago
Thanks!
Flags: needinfo?(kvijayan)
Please stop spamming bugs and cancelling flags.
Flags: needinfo?(kvijayan)
(Assignee)

Comment 8

4 years ago
(In reply to Gary Kwong [:gkw] [:nth10sd] (still catching up on bugmail) from comment #3)
> Kannan, is bug 918405 a likely regressor?

Yes.  There's a good chance it's a regressor.
Flags: needinfo?(kvijayan)
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
(Reporter)

Comment 9

4 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ddd03c32fab1).
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
(Reporter)

Comment 10

4 years ago
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/27921f21cddf
user:        Phil Ringnalda
date:        Mon Oct 14 14:03:03 2013 -0700
summary:     Back out 755ecb4d6e2c and 7ea09c8bf385 (bug 925962) for bustage

This iteration took 422.358 seconds to run.
(Assignee)

Comment 11

4 years ago
I don't think bug 925962 is actually related to the issue.  I also think bug 918405 revealed the issue but is not the cause of it.

I haven't fully narrowed this down yet, but as far as I can tell, the function |testMultipleArgumentsObjects| is heavyweight, has a call object created for it when running in baseline, enters Ion via OSR (and the Call object is correctly carried into the Ion entry).. however, later there's a bailout from an inlined call to |f| within |testMultipleArgumentsObjects|, and when unpacking scopeChain objects from the snapshot in this bailout, the call object is not being captured.

Looking at the IonGraph spew for the function, during the Eliminate phis pass, the ResumePoint handle to the scope chain definition seems to be "lost" (refers to a nonexistant definition).
Assignee: general → kvijayan
(Assignee)

Comment 12

4 years ago
Yeah, aggressive phi elimination is getting rid of the scopeChain even though we may need it later to construct an arguments object.
(Assignee)

Comment 13

4 years ago
Created attachment 817359 [details] [diff] [review]
save-scope-chain.patch
Attachment #817359 - Flags: review?(hv1989)
Comment on attachment 817359 [details] [diff] [review]
save-scope-chain.patch

Review of attachment 817359 [details] [diff] [review]:
-----------------------------------------------------------------

Good find. Would be good to have an active testcase for this in jit-tests in order to not regress this.
Attachment #817359 - Flags: review?(hv1989) → review+
(Assignee)

Comment 15

4 years ago
Tried to create a testcase that asserted on tip for this yesterday, didn't get anywhere.  I'm checking in with the original test case, which is better than nothing.
Turns out the original test case is worse than nothing, because it'll get you backed out in http://hg.mozilla.org/integration/mozilla-inbound/rev/062d17374196 by failing like https://tbpl.mozilla.org/php/getParsedLog.php?id=29195313&tree=Mozilla-Inbound ;)
(Assignee)

Comment 17

4 years ago
Forgot that the correct outcome for that test case is for it to throw.  Will check in shortly.
(Assignee)

Comment 18

4 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/e41c12eedc22
https://hg.mozilla.org/mozilla-central/rev/e41c12eedc22
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
You need to log in before you can comment on or make changes to this bug.