The following testcase crashes on mozilla-central revision ed70d2025bee (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-arm-simulator --disable-debug, run with --no-threads --ion-eager --arm-asm-nop-fill=1): var y = -1; this.__defineGetter__("x", gc); function f() {} loadFile("gczeal(14); for (var j = 0; j < 99; ++j) x += f();"); function loadFile(lfVarx) { switch (y) { default: evaluate(lfVarx, { noScriptRval : true, compileAndGo : true }); } } Backtrace: Program received signal SIGSEGV, Segmentation fault. js::jit::SetPropertyIC::update(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::Handle<JS::Value>) () at js/src/jit/IonCode.h:322 #0 js::jit::SetPropertyIC::update(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::Handle<JS::Value>) () at js/src/jit/IonCode.h:322 #1 0x08432cc9 in js::jit::Simulator::softwareInterrupt(js::jit::SimInstruction*) () at js/src/jit/arm/Simulator-arm.cpp:2158 #2 0x0843310c in js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) () at js/src/jit/arm/Simulator-arm.cpp:4177 #3 0x084357f4 in js::jit::Simulator::callInternal(unsigned char*) () at js/src/jit/arm/Simulator-arm.cpp:4232 #4 0x08435a06 in js::jit::Simulator::call(unsigned char*, int, ...) () at js/src/jit/arm/Simulator-arm.cpp:4403 #5 0x0839baa9 in js::jit::IonCannon(JSContext*, js::RunState&) () at js/src/jit/Ion.cpp:2336 #6 0x08198703 in js::RunScript(JSContext*, js::RunState&) () at js/src/vm/Interpreter.cpp:428 #7 0x0819ef22 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) () at js/src/vm/Interpreter.cpp:654 #8 0x0819f227 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) () at js/src/vm/Interpreter.cpp:691 #9 0x084d59a0 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) () at js/src/jsapi.cpp:3994 #10 0x0806a0d0 in Evaluate(JSContext*, unsigned int, JS::Value*) () at js/src/shell/js.cpp:1320 #11 0x0819889a in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) () at js/src/jscntxtinlines.h:226 #12 0x08198dec in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) () at js/src/vm/Interpreter.cpp:554 #13 0x08300f86 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) () at js/src/jit/BaselineIC.cpp:9561 #14 0x08432c09 in js::jit::Simulator::softwareInterrupt(js::jit::SimInstruction*) () at js/src/jit/arm/Simulator-arm.cpp:2172 #15 0x0843310c in js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) () at js/src/jit/arm/Simulator-arm.cpp:4177 #16 0x084357f4 in js::jit::Simulator::callInternal(unsigned char*) () at js/src/jit/arm/Simulator-arm.cpp:4232 #17 0x08435a06 in js::jit::Simulator::call(unsigned char*, int, ...) () at js/src/jit/arm/Simulator-arm.cpp:4403 #18 0x0839baa9 in js::jit::IonCannon(JSContext*, js::RunState&) () at js/src/jit/Ion.cpp:2336 #19 0x08198703 in js::RunScript(JSContext*, js::RunState&) () at js/src/vm/Interpreter.cpp:428 #20 0x08198817 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) () at js/src/vm/Interpreter.cpp:517 #21 0x08198dec in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) () at js/src/vm/Interpreter.cpp:554 #22 0x08300f86 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) () at js/src/jit/BaselineIC.cpp:9561 #23 0x08432c09 in js::jit::Simulator::softwareInterrupt(js::jit::SimInstruction*) () at js/src/jit/arm/Simulator-arm.cpp:2172 #24 0x0843310c in js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) () at js/src/jit/arm/Simulator-arm.cpp:4177 #25 0x084357f4 in js::jit::Simulator::callInternal(unsigned char*) () at js/src/jit/arm/Simulator-arm.cpp:4232 #26 0x08435a06 in js::jit::Simulator::call(unsigned char*, int, ...) () at js/src/jit/arm/Simulator-arm.cpp:4403 #27 0x0829327a in EnterBaseline(JSContext*, js::jit::EnterJitData&) () at js/src/jit/BaselineJIT.cpp:122 #28 0x082bf3c9 in js::jit::EnterBaselineMethod(JSContext*, js::RunState&) () at js/src/jit/BaselineJIT.cpp:154 #29 0x08198655 in js::RunScript(JSContext*, js::RunState&) () at js/src/vm/Interpreter.cpp:438 #30 0x0819ef22 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) () at js/src/vm/Interpreter.cpp:654 #31 0x0819f227 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) () at js/src/vm/Interpreter.cpp:691 #32 0x084d59a0 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) () at js/src/jsapi.cpp:3994 #33 0x0804b680 in Process(JSContext*, JSObject*, char const*, bool) () at js/src/shell/js.cpp:454 #34 0x0805941d in main () at js/src/shell/js.cpp:5604 eax 0x0 0 ebx 0x9329458 154309720 ecx 0xf68febfc -158340100 edx 0xffffaf48 -20664 esi 0x9385500 154686720 edi 0x155 341 ebp 0x9386190 154689936 esp 0xffffaeb0 4294946480 eip 0x8386ec5 <js::jit::SetPropertyIC::update(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::Handle<JS::Value>)+245> => 0x8386ec5 <_ZN2js3jit13SetPropertyIC6updateEP9JSContextjN2JS6HandleIP8JSObjectEENS5_INS4_5ValueEEE+245>: add 0x28(%eax),%eax 0x8386ec8 <_ZN2js3jit13SetPropertyIC6updateEP9JSContextjN2JS6HandleIP8JSObjectEENS5_INS4_5ValueEEE+248>: add 0x164(%esp),%eax Marking s-s for now because the test uses gc.

Is the bisector broken?

Yes. JSBugMon is (was) running on fuzzer-linux2, that machine is currently down per bug 1134152.

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Looks like --arm-asm-nop-fill support was missing in JSBugMon. Trying once more.

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/7584b643e7e9 user: Shu-yu Guo date: Wed Jan 07 01:18:42 2015 -0800 summary: Bug 1118038 - Remove JIT parts of PJS. (r=lth) This iteration took 235.055 seconds to run.

I cannot reproduce this.

(In reply to Shu-yu Guo [:shu] from comment #7) > I cannot reproduce this. Scratch that, I can reproduce this, forgot to run with --arm-asm-nop-fill=1.

I asked Marty to take a look at this. He identified a bug with using masm.offset() and constant pools. Redirecting NI to him.

Naveed, is there somebody who can look at this? Thanks.

JSBugMon: The testcase found in this bug no longer reproduces (tried revision b9424d63fe35).

JSBugMon: Fix Bisection requested, failed due to error (try manually).

autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/9571f765357d user: Jon Coppeard date: Wed May 20 10:30:46 2015 +0100 summary: Bug 1135707 - Fix interaction between Arm NOP fill and calculation of IonCache rejoin label r=jandem Jon, is bug 1135707 a likely fix?

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #13) Yes, this looks like the same issue.