Closed Bug 934789 Opened 11 years ago Closed 11 years ago

Assertion Failure: type() != NAMED_LAMBDA in ScopeCoordinateToStaticScopeShape

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28

People

(Reporter: dhylands, Assigned: jandem)

References

Details

Attachments

(2 files)

Complete logcat from a run with assertion failure
196.37 KB, text/x-log
Details
js/screenshot.js taken from /system/b2g/webapps/system.gaiamobile.org/application.zip
4.25 KB, application/javascript
Details
I rebuilt my unagi (gaia-master, gecko-b2g-inbound). I was using VARIANT=userdebug, B2G_DEBUG=1 After booting, I can reproduce the following assertion by trying to reduce the volume (3 times out of 3): Program received signal SIGSEGV, Segmentation fault. 0x42368aa6 in js::StaticScopeIter::scopeShape (this=0xbed583d8) at /home/work/B2G-unagi/birch/js/src/vm/ScopeObject.cpp:74 74 JS_ASSERT(type() != NAMED_LAMBDA); (gdb) bt #0 0x42368aa6 in js::StaticScopeIter::scopeShape (this=0xbed583d8) at /home/work/B2G-unagi/birch/js/src/vm/ScopeObject.cpp:74 #1 0x4236af56 in js::ScopeCoordinateToStaticScopeShape (cx=<value optimized out>, script=<value optimized out>, pc=<value optimized out>) at /home/work/B2G-unagi/birch/js/src/vm/ScopeObject.cpp:130 #2 0x425f0254 in js::jit::BaselineCompiler::getScopeCoordinateAddressFromObject (this=0xbed58650, objReg=..., reg=...) at /home/work/B2G-unagi/birch/js/src/jit/BaselineCompiler.cpp:1910 #3 0x425f4ff8 in js::jit::BaselineCompiler::getScopeCoordinateAddress (this=0xbed58650) at /home/work/B2G-unagi/birch/js/src/jit/BaselineCompiler.cpp:1925 #4 js::jit::BaselineCompiler::emit_JSOP_GETALIASEDVAR (this=0xbed58650) at /home/work/B2G-unagi/birch/js/src/jit/BaselineCompiler.cpp:1933 #5 0x425fc792 in js::jit::BaselineCompiler::emit_JSOP_CALLALIASEDVAR (this=0xbed58650) at /home/work/B2G-unagi/birch/js/src/jit/BaselineCompiler.cpp:1947 #6 js::jit::BaselineCompiler::emitBody (this=0xbed58650) at /home/work/B2G-unagi/birch/js/src/jit/BaselineCompiler.cpp:794 #7 0x425fcb6a in js::jit::BaselineCompiler::compile (this=0xbed58650) at /home/work/B2G-unagi/birch/js/src/jit/BaselineCompiler.cpp:95 #8 0x4241044c in js::jit::BaselineCompile (cx=0x476a4540, script=...) at /home/work/B2G-unagi/birch/js/src/jit/BaselineJIT.cpp:234 #9 0x42410626 in CanEnterBaselineJIT (cx=0x476a4540, script=..., osr=false) at /home/work/B2G-unagi/birch/js/src/jit/BaselineJIT.cpp:299 #10 0x4241073e in js::jit::CanEnterBaselineMethod (cx=0x476a4540, state=<value optimized out>) at /home/work/B2G-unagi/birch/js/src/jit/BaselineJIT.cpp:356 #11 0x4234a804 in js::RunScript (cx=0x476a4540, state=...) at /home/work/B2G-unagi/birch/js/src/vm/Interpreter.cpp:405 #12 0x4234ae28 in js::Invoke (cx=0x476a4540, args=..., construct=js::NO_CONSTRUCT) at /home/work/B2G-unagi/birch/js/src/vm/Interpreter.cpp:482 #13 0x4234b72e in js::Invoke (cx=0x476a4540, thisv=..., fval=..., argc=1, argv=0xbed5a568, rval=...) at /home/work/B2G-unagi/birch/js/src/vm/Interpreter.cpp:513 #14 0x421f2194 in JS_CallFunctionValue (cx=0x476a4540, objArg=<value optimized out>, fval=..., argc=1, argv=0xbed5a568, rval=0xbed5a5d8) at /home/work/B2G-unagi/birch/js/src/jsapi.cpp:4906 #15 0x41b2b236 in mozilla::dom::EventListener::HandleEvent (this=<value optimized out>, cx=0x476a4540, aThisObj=..., event=<value optimized out>, aRv=...) at /home/work/B2G-unagi/objdir-gecko-debug-userdebug-birch/dom/bindings/EventListenerBinding.cpp:44 #16 0x41319fec in HandleEvent<mozilla::dom::EventTarget*> (this=0x4722fe80, aListenerStruct=<value optimized out>, aListener=<value optimized out>, aDOMEvent=<value optimized out>, aCurrentTarget=0x446086f0, aPusher=0xbed5a810) at ../../../dist/include/mozilla/dom/EventListenerBinding.h:51 #17 nsEventListenerManager::HandleEventSubType (this=0x4722fe80, aListenerStruct=<value optimized out>, aListener=<value optimized out>, aDOMEvent=<value optimized out>, aCurrentTarget=0x446086f0, aPusher=0xbed5a810) at /home/work/B2G-unagi/birch/content/events/src/nsEventListenerManager.cpp:952 #18 0x4131a246 in nsEventListenerManager::HandleEventInternal (this=0x4722fe80, aPresContext=<value optimized out>, aEvent=0x45617420, aDOMEvent=0xbed5a87c, aCurrentTarget=0x446086f0, aEventStatus=0xbed5a880, aPusher=0xbed5a810) at /home/work/B2G-unagi/birch/content/events/src/nsEventListenerManager.cpp:1029 #19 0x413174aa in nsEventListenerManager::HandleEvent (this=<value optimized out>, aVisitor=..., aCd=<value optimized out>, aPusher=0xbed5a810) at /home/work/B2G-unagi/birch/content/events/src/nsEventListenerManager.h:326 #20 nsEventTargetChainItem::HandleEvent (this=<value optimized out>, aVisitor=..., aCd=<value optimized out>, aPusher=0xbed5a810) at /home/work/B2G-unagi/birch/content/events/src/nsEventDispatcher.cpp:197 #21 0x413175fe in nsEventTargetChainItem::HandleEventTargetChain (aChain=..., aVisitor=..., aCallback=0x0, aCd=..., aPusher=0xbed5a810) at /home/work/B2G-unagi/birch/content/events/src/nsEventDispatcher.cpp:292 #22 0x41318576 in nsEventDispatcher::Dispatch (aTarget=<value optimized out>, aPresContext=0x473af000, aEvent=0x45617420, aDOMEvent=<value optimized out>, aEventStatus=0xbed5a918, aCallback=0x0, aTargets=0x0) at /home/work/B2G-unagi/birch/content/events/src/nsEventDispatcher.cpp:609 #23 0x4131872e in nsEventDispatcher::DispatchDOMEvent (aTarget=0x44607880, aEvent=0x45617420, aDOMEvent=0x45630780, aPresContext=0x473af000, aEventStatus=0xbed5a918) at /home/work/B2G-unagi/birch/content/events/src/nsEventDispatcher.cpp:676 #24 0x414a596c in nsGlobalWindow::DispatchEvent (this=0x446086f0, aEvent=0x45630780, aRetVal=0xbed5ab00) at /home/work/B2G-unagi/birch/dom/base/nsGlobalWindow.cpp:8931 #25 0x41d38fce in NS_InvokeByIndex (that=0x446086f0, methodIndex=7, paramCount=<value optimized out>, params=<value optimized out>) at /home/work/B2G-unagi/birch/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:164 #26 0x417e7efc in CallMethodHelper::Invoke (this=0xbed5aac8) at /home/work/B2G-unagi/birch/js/xpconnect/src/XPCWrappedNative.cpp:2797 #27 CallMethodHelper::Call (this=0xbed5aac8) at /home/work/B2G-unagi/birch/js/xpconnect/src/XPCWrappedNative.cpp:2137 #28 0x417e9136 in XPCWrappedNative::CallMethod (ccx=..., mode=<value optimized out>) at /home/work/B2G-unagi/birch/js/xpconnect/src/XPCWrappedNative.cpp:2103 #29 0x417ef84e in XPC_WN_CallMethod (cx=0x456f2120, argc=1, vp=<value optimized out>) at /home/work/B2G-unagi/birch/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1311 #30 0x42337b60 in js::CallJSNative (cx=0x456f2120, native=0x417ef741 <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/work/B2G-unagi/birch/js/src/jscntxtinlines.h:220 #31 0x4234ae92 in js::Invoke (cx=0x456f2120, args=..., construct=js::NO_CONSTRUCT) at /home/work/B2G-unagi/birch/js/src/vm/Interpreter.cpp:463 #32 0x4234b72e in js::Invoke (cx=0x456f2120, thisv=..., fval=..., argc=1, argv=0xbed5b368, rval=...) at /home/work/B2G-unagi/birch/js/src/vm/Interpreter.cpp:513 #33 0x424022b6 in DoCallFallback (cx=0x456f2120, frame=<value optimized out>, stub=0x472d1fb0, argc=<value optimized out>, vp=0xbed5b358, res=...) at /home/work/B2G-unagi/birch/js/src/jit/BaselineIC.cpp:7672 #34 0x43948338 in ?? () #35 0x43948338 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) call PrintJSStack() $1 = 0x45797380 "JavaScript stack is empty\n"
Thanks for the report! This should be quite fixable if we could see the offending script and pc. If you are able to rebuild, it would be incredibly helpful if you could you put a: printf("Compiling %s:%d\n", script->filename(), (int)script->lineno); at the top of jit::BaselineCompile in js/src/jit/BaselineJIT.cpp and a printf("ScopeCoordinateToStaticScopeShape at offset %d\n", int(pc - script->code)); at the top of BaselineCompiler::getScopeCoordianteAddressForObject in js/src/jit/BaselineCompiler.cpp. (Or perhaps these have to be __android_log_print's? I don't know how console out works on b2g.) Thanks!
I figured I'd include the complete log. The assertion happens on line 1687. The lines with "JIT" are the lines I added (as per the previous comment). An excerpt from the log shows: ##### Compiling app://system.gaiamobile.org/js/visibility_manager.js:27 ##### Compiling chrome://browser/content/shell.js:442 ##### Compiling chrome://browser/content/shell.js:537 ##### Compiling chrome://browser/content/shell.js:523 ##### Compiling app://system.gaiamobile.org/js/activities.js:11 ##### Compiling app://system.gaiamobile.org/js/screenshot.js:84 ScopeCoordinateToStaticScopeShape at offset 1 ScopeCoordinateToStaticScopeShape at offset 31 ScopeCoordinateToStaticScopeShape at offset 57 ScopeCoordinateToStaticScopeShape at offset 87 ScopeCoordinateToStaticScopeShape at offset 104 ScopeCoordinateToStaticScopeShape at offset 139 ScopeCoordinateToStaticScopeShape at offset 168 ScopeCoordinateToStaticScopeShape at offset 182 Assertion failure: type() != NAMED_LAMBDA, at /home/work/B2G-unagi/birch/js/src/vm/ScopeObject.cpp:74 Assuming that screenshot.js is the offending file (since its the last one), I'll grab it from the appropriate application.zip file so that you have the preprocessed version and add that as a separate attachment.
Hopefully, this is the correct source file.
Thanks a lot! This is really helpful. Using 'dis' (which calls ScopeCoordinateToStaticScopeShape on every aliased op in the script) I can get a simple shell testcase: (function() { function foo() {} dis(function bar(e) { try { (function() { e; }); } catch (e) { foo(); // << assertion in dis() here } }); }()); The bug seems to involve the shadowing of the outer parameter name 'e' by the inner catch block 'e'.
Component: JavaScript Engine: JIT → JavaScript Engine
OS: Linux → All
Hardware: x86_64 → All
Summary: Assertion Failure: type() != NAMED_LAMBDA while trying to change volume on FxOS → Assertion Failure: type() != NAMED_LAMBDA in ScopeCoordinateToStaticScopeShape
The issue reproduces on trunk, but not on beta or aurora, so it looks like a recent regression. Gary, any chance you could throw this testcase to your auto-bisect and find the culprit? I think this is a parser/emitter regression: the SourceCoordinate for the callaliasedvar 'foo' has 2 hops; it should be 3 (+1 for catch block, +1 for call object, +1 for named lambda (declenv) object to get to the enclosing call object. CC'ing some frontend hackers who may know of recent changes that could have caused this.
Setting a needinfo on myself for bisection.
Flags: needinfo?(gary)
Blocks: 933798
Looks like no need for bisection Gary.
Flags: needinfo?(gary)
This was fixed by backing out bug 933798. Pushed test cases: https://hg.mozilla.org/integration/mozilla-inbound/rev/2b6e3ca41348
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Assignee: nobody → jdemooij
Target Milestone: --- → mozilla28
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/495a9c210b91 user: Jan de Mooij date: Mon Nov 04 11:40:24 2013 +0100 summary: Bug 933798 - Don't unnecessarily deoptimize name accesses in try blocks in lazily parsed functions. r=bhackett I'm late to the game but yes, bug 933798 seems to be the one at fault here.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: