Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) Reporter
	Description • 9 years ago

{
    const z = 0;
    while (z = 1) {}
}

asserts js debug shell on m-c changeset d53a52b39a95 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: JSOp(*pc) == JSOP_IFNE || JSOp(*pc) == JSOP_IFEQ, at jit/IonBuilder.cpp

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r d53a52b39a95

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d1e0b2e1b8ea
user:        Jan de Mooij
date:        Wed Oct 21 10:09:40 2015 +0200
summary:     Bug 1215992 - Terminate control flow for THROWSETCONST/THROWSETALIASEDCONST in IonBuilder. r=shu

Jan, is bug 1215992 a likely regressor?

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) Reporter
	Comment 1 • 9 years ago

(lldb) bt 5
* thread #1: tid = 0xc6f6f, 0x00000001002014e9 js-dbg-64-dm-darwin-d53a52b39a95`js::jit::IonBuilder::processWhileCondEnd(this=<unavailable>, state=<unavailable>) + 777 at IonBuilder.cpp:2533, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001002014e9 js-dbg-64-dm-darwin-d53a52b39a95`js::jit::IonBuilder::processWhileCondEnd(this=<unavailable>, state=<unavailable>) + 777 at IonBuilder.cpp:2533
    frame #1: 0x00000001001f3ed9 js-dbg-64-dm-darwin-d53a52b39a95`js::jit::IonBuilder::processCfgStack(this=0x0000000102cbe1a8) + 41 at IonBuilder.cpp:2142
    frame #2: 0x00000001001f1e72 js-dbg-64-dm-darwin-d53a52b39a95`js::jit::IonBuilder::traverseBytecode(this=0x0000000102cbe1a8) + 306 at IonBuilder.cpp:1484
    frame #3: 0x00000001001ed954 js-dbg-64-dm-darwin-d53a52b39a95`js::jit::IonBuilder::build(this=0x0000000102cbe1a8) + 1476 at IonBuilder.cpp:913
    frame #4: 0x00000001001e6064 js-dbg-64-dm-darwin-d53a52b39a95`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) + 2150 at Ion.cpp:2177
(lldb)

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) Reporter
	Comment 2 • 9 years ago

The testcase in comment 0 also causes a null-deref at js::jit::MBasicBlock::pop on js opt shells:

(lldb) dis -p
js-64-dm-darwin-d53a52b39a95`js::jit::MBasicBlock::pop:
->  0x1001c8bc0 <+0>:  movl   0x88(%rdi), %eax
    0x1001c8bc6 <+6>:  decl   %eax
    0x1001c8bc8 <+8>:  movl   %eax, 0x88(%rdi)
    0x1001c8bce <+14>: movq   0x78(%rdi), %rcx
(lldb) register read $rdi
     rdi = 0x0000000000000000
(lldb) register read $eax
     eax = 0x0013d380
(lldb)

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) Reporter
	Comment 3 • 9 years ago

The opt shell in comment 2 was compiled with:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests