Closed Bug 1213576 Opened 9 years ago Closed 9 years ago

Assertion failure: &i.block() == scope->as<ClonedBlockObject>().staticScope(), at js/src/vm/Stack.cpp:166

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1213574
Tracking Status
firefox44 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])

The following testcase crashes on mozilla-central revision c6ede6f30f3d (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2): var lfcode = new Array(); lfcode.push = loadFile; lfcode.push(` var myObj = {p1: 'a', } with(myObj){ var f = function(){ } } result = f(); `); function loadFile(lfVarx) { var lfGlobal = newGlobal(); lfGlobal.offThreadCompileScript(lfVarx); lfGlobal.runOffThreadScript(); } Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0871aec5 in AssertDynamicScopeMatchesStaticScope (cx=<optimized out>, script=<optimized out>, scope=<optimized out>) at js/src/vm/Stack.cpp:166 #1 0x0871bb27 in js::InterpreterFrame::prologue (this=0xf4fb4120, cx=cx@entry=0xf7177020) at js/src/vm/Stack.cpp:248 #2 0x0865b29f in Interpret (cx=cx@entry=0xf7177020, state=...) at js/src/vm/Interpreter.cpp:3131 #3 0x08661e49 in js::RunScript (cx=cx@entry=0xf7177020, state=...) at js/src/vm/Interpreter.cpp:708 #4 0x0866464a in js::ExecuteKernel (cx=cx@entry=0xf7177020, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0xffd56820) at js/src/vm/Interpreter.cpp:983 #5 0x08664ad7 in js::Execute (cx=cx@entry=0xf7177020, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0xffd56820) at js/src/vm/Interpreter.cpp:1018 #6 0x084b8d1f in ExecuteScript (cx=cx@entry=0xf7177020, scope=..., scope@entry=..., script=script@entry=..., rval=rval@entry=0xffd56820) at js/src/jsapi.cpp:4505 #7 0x084b8ea5 in JS_ExecuteScript (cx=cx@entry=0xf7177020, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4531 #8 0x080e8f84 in runOffThreadScript (cx=0xf7177020, argc=0, vp=0xffd56820) at js/src/shell/js.cpp:3438 #9 0x086658fa in js::CallJSNative (cx=0xf7177020, native=0x80e8e90 <runOffThreadScript(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #10 0x08662797 in js::Invoke (cx=cx@entry=0xf7177020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:767 #11 0x0866372a in js::Invoke (cx=cx@entry=0xf7177020, thisv=..., fval=..., argc=0, argv=0xffd56bd0, rval=...) at js/src/vm/Interpreter.cpp:822 #12 0x085cecb2 in js::DirectProxyHandler::call (this=this@entry=0x982db6c <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0xf7177020, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77 #13 0x085c1f2d in js::CrossCompartmentWrapper::call (this=0x982db6c <js::CrossCompartmentWrapper::singleton>, cx=0xf7177020, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289 #14 0x085cdada in js::Proxy::call (cx=cx@entry=0xf7177020, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:412 #15 0x085cdb7a in js::proxy_Call (cx=0xf7177020, argc=0, vp=0xffd56bc0) at js/src/proxy/Proxy.cpp:710 #16 0x086658fa in js::CallJSNative (cx=0xf7177020, native=0x85cdb00 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #17 0x08662797 in js::Invoke (cx=cx@entry=0xf7177020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:767 #18 0x0866372a in js::Invoke (cx=cx@entry=0xf7177020, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0xffd56ee0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:822 #19 0x088af58f in js::jit::DoCallFallback (cx=0xf7177020, frame=0xffd56f00, stub_=0xf4f2a170, argc=0, vp=0xffd56ed0, res=...) at js/src/jit/BaselineIC.cpp:8996 #20 0xf77406be in ?? () #21 0xf4f2a170 in ?? () #22 0xf7747f3a in ?? () #23 0xf4f1c010 in ?? () #24 0xf773fc5c in ?? () #25 0x0822d3c5 in EnterBaseline (cx=0xf4f2a170, cx@entry=0xf7177020, data=...) at js/src/jit/BaselineJIT.cpp:126 #26 0x082660e9 in js::jit::EnterBaselineAtBranch (cx=0xf7177020, fp=0xf4fb4028, pc=0xf713ede1 "\343\201C\b\377\377\377Z\231\230,\210\004\235/\210\bʘ;\210\t\230\001\220א\210\004\226\210\004\226\210\004\226\210\004\225\210\bʐ\210\bʐ\210\bϘ\002\234\v\210\003\230\016Ј\026\220Ј\027\220Ј \220Ј\027\220Ј?\220Ј\024\220Ј\030\230\031Ј#\220Ј\037\230\035Ј,\230\037\210\004\314\b\225\210\002Έ\020\230,\210\004͈\020\230.(\200") at js/src/jit/BaselineJIT.cpp:229 #27 0x08661b3b in Interpret (cx=cx@entry=0xf7177020, state=...) at js/src/vm/Interpreter.cpp:2119 #28 0x08661e49 in js::RunScript (cx=cx@entry=0xf7177020, state=...) at js/src/vm/Interpreter.cpp:708 #29 0x0866464a in js::ExecuteKernel (cx=cx@entry=0xf7177020, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:983 #30 0x08664ad7 in js::Execute (cx=cx@entry=0xf7177020, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:1018 #31 0x084b8d1f in ExecuteScript (cx=cx@entry=0xf7177020, scope=..., scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4505 #32 0x084b8f46 in JS_ExecuteScript (cx=cx@entry=0xf7177020, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4538 #33 0x0806b6b0 in RunFile (compileOnly=false, file=0xf71ea9e0, filename=0xffd59c0f "driver.js", cx=0xf7177020) at js/src/shell/js.cpp:469 #34 Process (cx=cx@entry=0xf7177020, filename=0xffd59c0f "driver.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:587 #35 0x080e0101 in ProcessArgs (op=0xffd57ca0, cx=0xf7177020) at js/src/shell/js.cpp:5903 #36 Shell (envp=<optimized out>, op=0xffd57ca0, cx=0xf7177020) at js/src/shell/js.cpp:6228 #37 main (argc=5, argv=0xffd57df4, envp=0xffd57e0c) at js/src/shell/js.cpp:6586 eax 0x0 0 ebx 0x97fbe34 159366708 ecx 0xf75a688c -145069940 edx 0x0 0 esi 0x9802d60 159395168 edi 0xf509c040 -183910336 ebp 0xffd55f38 4292173624 esp 0xffd55ee0 4292173536 eip 0x871aec5 <AssertDynamicScopeMatchesStaticScope(JSContext*, JSScript*, JSObject*)+1301> => 0x871aec5 <AssertDynamicScopeMatchesStaticScope(JSContext*, JSScript*, JSObject*)+1301>: movl $0xa6,0x0 0x871aecf <AssertDynamicScopeMatchesStaticScope(JSContext*, JSScript*, JSObject*)+1311>: call 0x8101690 <abort()>
Another high-frequency fuzzblocker that is likely fallout from the let patch.
Flags: needinfo?(shu)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151006132131" and the hash "d6059530b0317e6f6b141582b611469505256be4". The "bad" changeset has the timestamp "20151006135536" and the hash "cfc1820361f599c55128b29de4332f8d06511e07". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=d6059530b0317e6f6b141582b611469505256be4&tochange=cfc1820361f599c55128b29de4332f8d06511e07
seems also to hit bughunter a lot of times
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(shu)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.