(function() { evaluate("function f(){};function g(){}"); var x = ''; h(); function h() { g(''); /y/.e; f(x); } })() crashes js opt shell on m-c changeset 3f135a8ead22 with --fuzzing-safe --no-threads --ion-eager at js::ScopeCoordinateName and with --fuzzing-safe --no-threads --no-ion at js::RunScript Configure options: CC="gcc -m32 -msse2 -mfpmath=sse" CXX="g++ -m32 -msse2 -mfpmath=sse" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh /home/ubuntu/trees/mozilla-central/js/src/configure --target=i686-pc-linux --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--32 --enable-nspr-build --enable-more-deterministic -R /home/ubuntu/trees/mozilla-central" -r 3f135a8ead22 Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/8a416fedec44 user: Shu-yu Guo date: Sun Jun 21 11:49:57 2015 -0700 summary: Bug 1165486 - Rename hasPollutedGlobalScope to hasNonSyntacticScope. (r=luke) changeset: https://hg.mozilla.org/mozilla-central/rev/f2f099600f57 user: Shu-yu Guo date: Sun Jun 21 11:49:57 2015 -0700 summary: Bug 1165486 - Add StaticNonSyntacticScopeObjects and teach scope iterators about it. (r=luke) changeset: https://hg.mozilla.org/mozilla-central/rev/cf29e5d83bcd user: Shu-yu Guo date: Sun Jun 21 11:49:57 2015 -0700 summary: Bug 1165486 - Detect with scopes at parse time using the static scope chain instead of treating it as a polluted global. (r=luke) changeset: https://hg.mozilla.org/mozilla-central/rev/924f41548f1a user: Shu-yu Guo date: Sun Jun 21 11:49:57 2015 -0700 summary: Bug 1165486 - Remove PollutedGlobalScopeOption in favor of using the static scope chain to detect non-syntactic scopes. (r=luke) changeset: https://hg.mozilla.org/mozilla-central/rev/7f9252925e26 user: Shu-yu Guo date: Sun Jun 21 11:49:57 2015 -0700 summary: Bug 1165486 - Restructure function and script cloning in light of PollutingGlobal scope changes. (r=Waldo) Shu-yu, is bug 1165486 a likely regressor? This seems to only occur on 32-bit opt builds, not debug, not 64-bit, with GCC 4.8. $ gcc --version gcc-4.8.real (Ubuntu 4.8.4-2ubuntu1~14.04) 4.8.4 Copyright (C) 2013 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

(gdb) bt 5 #0 js::ScopeCoordinateName (cache=..., script=0xf674b280, pc=0xf6681791 "\210") at /home/ubuntu/trees/mozilla-central/js/src/vm/ScopeObject.cpp:92 #1 0x083f21ac in js::jit::IonBuilder::jsop_getaliasedvar (this=this@entry=0xf66c30e8, sc=...) at /home/ubuntu/trees/mozilla-central/js/src/jit/IonBuilder.cpp:12386 #2 0x0840963d in js::jit::IonBuilder::inspectOpcode (this=this@entry=0xf66c30e8, op=op@entry=JSOP_GETALIASEDVAR) at /home/ubuntu/trees/mozilla-central/js/src/jit/IonBuilder.cpp:1909 #3 0x0840997d in js::jit::IonBuilder::traverseBytecode (this=this@entry=0xf66c30e8) at /home/ubuntu/trees/mozilla-central/js/src/jit/IonBuilder.cpp:1506 #4 0x08409e06 in js::jit::IonBuilder::build (this=0xf66c30e8) at /home/ubuntu/trees/mozilla-central/js/src/jit/IonBuilder.cpp:905 (More stack frames follow...) (gdb)

This seems to be happening often with EC2 VMs running jsfunfuzz - variants crash with nothing on the stack (which reduce to this testcase).

I can't reproduce under 32bit gcc-5.2. The stacks look odd, especially the no-ion one that reports frame #0 having a cx=0x0. Let me know if you manage to trap this under gdb or something. As is I'm afraid this isn't actionable for me. :(

OK, I have this trapped in gdb again. Here is a full backtrace. Let me know how you would like to proceed with this.

I've confirmed that using the following compiler on 15.04: $ gcc --version gcc-4.9.real (Ubuntu 4.9.2-10ubuntu13) 4.9.2 Copyright (C) 2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. instead of GCC 4.8 on 14.04 LTS, the testcase in comment 0 no longer crashes a build as specified in comment 0. (essentially --enable-optimize --disable-debug) Resolving INVALID as this does not seem to be a Mozilla issue.

I wouldn't be so quick to go from "switching to a newer compiler fixes it" to "it's not a bug in SpiderMonkey". In general, such differences are more likely to be due to changed optimizations rather than the old version actually generating incorrect machine code.

In this case, setting needinfo? back to Shu-yu, who had been suggesting to upgrade gcc as a form of a solution.

I still don't know how to debug this. Because gdb was showing cx != nullptr in one frame, and cx == nullptr one frame down, despite cx never being assigned to. With this not producing on --disable-optimize builds and gdb giving me bogus, I have no idea how to debug it.

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Crash volume for signature 'js::ScopeCoordinateName': - nightly (version 50): 1 crash from 2016-06-06. - aurora (version 49): 0 crashes from 2016-06-07. - beta (version 48): 12 crashes from 2016-06-06. - release (version 47): 43 crashes from 2016-05-31. - esr (version 45): 4 crashes from 2016-04-07. Crash volume on the last weeks: W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 0 0 1 0 0 0 0 - aurora 0 0 0 0 0 0 0 - beta 3 2 3 1 2 0 1 - release 6 5 7 3 8 8 4 - esr 0 0 1 0 0 2 0 Affected platforms: Windows, Mac OS X

FWIW, the whole cache could be removed at measurably-negligible bytecode size increase by embedding the atom-index of names in the bytecode.

Volume is super small, not sure I care...

What should we do here?

Not high volume, but we could still take a patch for 50. Marking fix-optional for 50.

I'd go with WFM here now. Even GCC 4.9 (which seems to cause the issue to go away) seems to no longer be supported for compilation in favour of 5 and up. Plus, the js::ScopeCoordinateName signature no longer exists. Let's file new issues if anything related crops up going forward, and move on.