Closed Bug 958732 Opened 6 years ago Closed 6 years ago

When loading e.g. about:config on fennec debug build: MOZ_Assert(24904): Assertion failure: typeAlloc->isArgument(), at /Users/dholbert/builds/fennec/mozilla/js/src/jit/LinearScan.cpp:595


(Core :: JavaScript Engine: JIT, defect, critical)

Not set





(Reporter: dholbert, Unassigned)



(Keywords: assertion, regression)

 1. Install a fennec --enable-debug --disable-optimize build.
   (I built mine locally on Mac OS, using up-to-date mozilla-central (rev e89afc241513). I'm not sure if --disable-optimize matters; that's just what I had in my build)

 2. Visit about:config, in that fennec build.

ACTUAL RESULTS: immediate crash with:
F/MOZ_Assert(24904): Assertion failure: typeAlloc->isArgument(), at /Users/dholbert/builds/fennec/mozilla/js/src/jit/LinearScan.cpp:595
F/libc    (24904): Fatal signal 11 (SIGSEGV) at 0x00000000 (code=1), thread 24989 (Analysis Helper)
I/DEBUG   (24839): unexpected waitpid response: n=24989, status=00000b00
I/DEBUG   (24839): ptrace detach from 24989 failed: No such process
I/DEBUG   (24839): debuggerd committing suicide to free the zombie!
I/DEBUG   (25155): debuggerd: Dec  4 2013 23:15:41
I/ActivityManager( 1363): Process org.mozilla.fennec_dholbert (pid 24904) has died.

I also hit this when loading the wired URL from bug 957006 comment 4.
(Not surprisingly, this issue goes away if I set javascript.options.ion.content to false, in all.js, and rebuild/package/install).
Ah, great find.  I think we were just hitting that assert in bug 943925 (independently of the central issue of the bug).

This should probably be high-priority, since it's popping up as a red herring in other bugs (and blocking debugging in other bugs, since this is fatal). At least, that's been the case for bug 957006 and bug 943925, it looks like.

(This is workaroundable with an all.js tweak, per comment 1, but that's not obvious when you hit this, and it requires a rebuild.)
gwagner says in IRC that he's hitting this on B2G (today, for the first time), as well. So, likely a recent regression.
Blocks: 956325
This also happens on b2g when we start the phone with FTU and try to import facebook contacts.
A stack from b2g:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 915.967]
0xb5f94690 in back (this=<optimized out>) at ../../dist/include/mozilla/Vector.h:384
384	      MOZ_ASSERT(!entered);
(gdb) bt
#0  0xb5f94690 in back (this=<optimized out>) at ../../dist/include/mozilla/Vector.h:384
#1  start (this=<optimized out>) at ../../../js/src/jit/LiveRangeAllocator.h:268
#2  findFirstSafepoint (startFrom=<optimized out>, interval=<optimized out>, this=<optimized out>) at ../../../js/src/jit/LiveRangeAllocator.h:721
#3  js::jit::LinearScanAllocator::populateSafepoints (this=0xb28ff3d8) at ../../../js/src/jit/LinearScan.cpp:499
#4  0xb5f98250 in js::jit::LinearScanAllocator::go (this=0xb28ff3d8) at ../../../js/src/jit/LinearScan.cpp:1272
#5  0xb5f39a22 in js::jit::GenerateLIR (mir=0xb0212170) at ../../../js/src/jit/Ion.cpp:1436
#6  0xb5f39ade in js::jit::CompileBackEnd (mir=0xb0212170, maybeMasm=0x0) at ../../../js/src/jit/Ion.cpp:1527
#7  0xb60f958a in js::WorkerThread::handleIonWorkload (this=0xb2a32000, state=...) at ../../../js/src/jsworkers.cpp:785
#8  0xb60f9f8a in js::WorkerThread::threadLoop (this=0xb2a32000) at ../../../js/src/jsworkers.cpp:1024
#9  0xb492b488 in _pt_root (arg=0xb2a8e380) at ../../../../../nsprpub/pr/src/pthreads/ptthread.c:205
#10 0xb6ee6a5c in __thread_entry (func=0xb492b3e9 <_pt_root>, arg=0xb2a8e380, tls=0xb28fff00) at bionic/libc/bionic/pthread_create.cpp:92
#11 0xb6ee6bd8 in pthread_create (thread_out=0xbea2363c, attr=<optimized out>, start_routine=0x78, arg=0xb2a8e380) at bionic/libc/bionic/pthread_create.cpp:201
All our mochitest suites on debug emulator for b2g are crashing now because of this. They are scheduled to go live on all inbound trees on Monday.
Blocks: 940161, 933355
Severity: normal → critical
It's a bogus assert; the patch in bug 958432 removes it (and another assert). Can you try that patch and see if it patch fixes the test failures for you?
Component: JavaScript Engine → JavaScript Engine: JIT
(In reply to Jan de Mooij [:jandem] from comment #8)
> It's a bogus assert; the patch in bug 958432 removes it (and another
> assert). Can you try that patch and see if it patch fixes the test failures
> for you?

I pushed it to pine:
I'm hitting something similar, but different. nbp had a look at it on my laptop. Filed as bug 959126.
Closed: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 958432
You need to log in before you can comment on or make changes to this bug.