The following testcase crashes on mozilla-central revision a0d0344ed47a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads): setJitCompilerOption("ion.warmup.trigger", 1); function f() getBacktrace({ args: 1 }); g = newGlobal(); dbg = Debugger(g); dbg.onNewScript = function(script) fscript = script.getChildScripts()[0]; g.eval("function f() arguments[0]"); fscript.setBreakpoint(0, { hit: function() { f(), () => "" } }) g.f("") Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000008ec5e5 in needsArgsObj (this=<optimized out>) at js/src/jsscript.h:1518 #0 0x00000000008ec5e5 in needsArgsObj (this=<optimized out>) at js/src/jsscript.h:1518 #1 argsObjAliasesFormals (this=<optimized out>) at js/src/jsscript.h:1541 #2 FormatFrame (showThisProps=false, showLocals=false, showArgs=true, num=2, buf=0x7ffff6922ca0 "0 f() [\"test.js\":2]\n1 .hit([object Frame]) [\"test.js\":9]\n2 f(", iter=..., cx=0x7ffff6907800) at js/src/jsfriendapi.cpp:762 #3 JS::FormatStackDump (cx=cx@entry=0x7ffff6907800, buf=<optimized out>, buf@entry=0x0, showArgs=true, showLocals=false, showThisProps=false) at js/src/jsfriendapi.cpp:915 #4 0x0000000000a2515b in GetBacktrace (cx=0x7ffff6907800, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2292 #5 0x0000000000aa1e02 in js::CallJSNative (cx=0x7ffff6907800, native=0xa25110 <GetBacktrace(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #6 0x0000000000a9b351 in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475 #7 0x0000000000a8c012 in Interpret (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:2801 #8 0x0000000000a9b078 in js::RunScript (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:425 #9 0x0000000000a9b3ad in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:493 #10 0x0000000000a9be7c in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffbb40, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:527 #11 0x00000000009ce942 in CallMethodIfPresent (name=0xeaa7d4 "hit", argc=1, rval=..., argv=0x7fffffffbb40, obj=..., cx=0x7ffff6907800) at js/src/vm/Debugger.cpp:1244 #12 js::Debugger::onTrap (cx=cx@entry=0x7ffff6907800, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1542 #13 0x0000000000a96e01 in Interpret (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:1739 #14 0x0000000000a9b078 in js::RunScript (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:425 #15 0x0000000000a9b3ad in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:493 #16 0x0000000000a9be7c in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=<optimized out>, argv=0x7ffff517a0a0, rval=...) at js/src/vm/Interpreter.cpp:527 #17 0x00000000009896f7 in js::DirectProxyHandler::call (this=this@entry=0x1c043b0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff6907800, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77 #18 0x000000000098e863 in js::CrossCompartmentWrapper::call (this=0x1c043b0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6907800, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289 #19 0x000000000098d82a in js::Proxy::call (cx=0x7ffff6907800, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:391 #20 0x000000000098d8fa in js::proxy_Call (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:683 #21 0x0000000000aa1e02 in js::CallJSNative (cx=0x7ffff6907800, native=0x98d850 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #33 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7056 rax 0x0 0 rbx 0x0 0 rcx 0x7ffff6ca53b0 140737333842864 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffb030 140737488334896 rsp 0x7fffffffa8c0 140737488332992 r8 0x7ffff7fe07c0 140737354008512 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffa680 140737488332416 r11 0x7ffff6c27960 140737333328224 r12 0x7ffff6904460 140737330037856 r13 0x7ffff6922ca0 140737330162848 r14 0x7fffffffab20 140737488333600 r15 0x7fffffffabb0 140737488333744 rip 0x8ec5e5 <JS::FormatStackDump(JSContext*, char*, bool, bool, bool)+4853> => 0x8ec5e5 <JS::FormatStackDump(JSContext*, char*, bool, bool, bool)+4853>: movl $0x5ee,0x0 0x8ec5f0 <JS::FormatStackDump(JSContext*, char*, bool, bool, bool)+4864>: callq 0x4a4690 <abort()>

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/64203c2e785d user: Nicolas B. Pierron date: Wed Sep 10 19:11:20 2014 +0200 summary: Bug 1063816 - Rename useCount to warmUpCounter. r=h4writer This iteration took 151.745 seconds to run.

Bisection is probably wrong here, the first line is misleading: removing it and using --ion-eager reproduces the same issue. Needinfo to evilpie, who wrote this code: it seems that the only missing thing on frame #2 is to call ensureHasAnalyzedArgsUsage before calling needsArgsObj(), maybe hoisting it out of the loop at first. Does that make sense?

I think ensureHasAnalyzedArgsUsage didn't exist when I wrote this. Jan is probably better informed about arguments related code.

We could call ensureHasAnalyzedArgsUsage, but since this is a debugging function I'd rather not change more state than necessary. This patch just calls script->analyzedArgsUsage().

Comment on attachment 8718288 [details] [diff] [review] Patch Review of attachment 8718288 [details] [diff] [review]: ----------------------------------------------------------------- Good point.