The following testcase crashes on mozilla-central revision e2bb11b88bd4 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --baseline-eager): g = newGlobal(); g.parent = this; g.eval("(" + function() { Debugger(parent).onExceptionUnwind = function(frame) { frame.older } } + ")()") var target = {}; for (var key of ['foo', Symbol('bar')]) { var handler = { has: function(...target) { assertEq(name, key); } }; for (let p of [new Proxy(function() {}, newExternalString), Proxy.revocable(target, handler).proxy]) { key in p; } } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000f1b06f in CloneOldBaselineStub (entryIndex=0, entries=..., cx=0x7ffff5f16000) at js/src/jit/BaselineDebugModeOSR.cpp:789 #0 0x0000000000f1b06f in CloneOldBaselineStub (entryIndex=0, entries=..., cx=0x7ffff5f16000) at js/src/jit/BaselineDebugModeOSR.cpp:789 #1 js::jit::RecompileOnStackBaselineScriptsForDebugMode (cx=cx@entry=0x7ffff5f16000, obs=..., observing=observing@entry=js::Debugger::Observing) at js/src/jit/BaselineDebugModeOSR.cpp:894 #2 0x0000000000b41f8c in js::Debugger::updateExecutionObservabilityOfFrames (cx=cx@entry=0x7ffff5f16000, obs=..., observing=js::Debugger::Observing) at js/src/vm/Debugger.cpp:2521 #3 0x0000000000b42236 in js::Debugger::ensureExecutionObservabilityOfFrame (cx=0x7ffff5f16000, frame=...) at js/src/vm/Debugger.cpp:2748 #4 0x0000000000b7bca6 in js::Debugger::getScriptFrameWithIter (this=this@entry=0x7ffff5f3f800, cx=cx@entry=0x7ffff5f16000, referent=..., maybeIter=maybeIter@entry=0x7fffffff98f0, result=..., result@entry=...) at js/src/vm/Debugger.cpp:814 #5 0x0000000000b7f080 in js::Debugger::getScriptFrame (result=..., iter=..., cx=0x7ffff5f16000, this=<optimized out>) at js/src/vm/Debugger-inl.h:94 #6 js::DebuggerFrame::getOlder (cx=0x7ffff5f16000, frame=..., frame@entry=..., result=..., result@entry=...) at js/src/vm/Debugger.cpp:7693 #7 0x0000000000b7f1ae in js::DebuggerFrame::olderGetter (cx=0x7ffff5f16000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:8381 #8 0x0000000000576f01 in js::CallJSNative (cx=0x7ffff5f16000, native=0xb7f110 <js::DebuggerFrame::olderGetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:291 #9 0x000000000056b49f in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff5f16000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:473 #10 0x000000000056b87d in InternalCall (cx=cx@entry=0x7ffff5f16000, args=...) at js/src/vm/Interpreter.cpp:522 #11 0x000000000056b9f0 in js::Call (cx=cx@entry=0x7ffff5f16000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:541 #12 0x000000000056bbc3 in js::CallGetter (cx=0x7ffff5f16000, thisv=thisv@entry=..., getter=getter@entry=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:656 #13 0x0000000000bdd37c in CallGetter (vp=..., shape=..., receiver=..., obj=..., cx=0x7ffff5f16000) at js/src/vm/NativeObject.cpp:2145 #14 GetExistingProperty<(js::AllowGC)1> (cx=0x7ffff5f16000, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:2202 #15 0x0000000000be3984 in NativeGetPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7ffff5f16000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2401 #16 0x0000000000be40c0 in js::NativeGetProperty (cx=cx@entry=0x7ffff5f16000, obj=..., receiver=..., receiver@entry=..., id=..., id@entry=..., vp=..., vp@entry=...) at js/src/vm/NativeObject.cpp:2437 #17 0x0000000000573be4 in js::GetProperty (cx=0x7ffff5f16000, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1620 #18 0x0000000000559d46 in js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff5f16000) at js/src/jsobj.h:804 #19 js::GetProperty (cx=0x7ffff5f16000, v=..., name=..., name@entry=..., vp=vp@entry=...) at js/src/vm/Interpreter.cpp:4405 #20 0x000000000085eba9 in js::jit::ComputeGetPropResult (res=..., val=..., name=..., op=JSOP_GETPROP, frame=0x7fffffffa6f8, cx=0x7ffff5f16000) at js/src/jit/SharedIC.cpp:1962 #21 js::jit::DoGetPropFallback (cx=0x7ffff5f16000, frame=0x7fffffffa6f8, stub_=<optimized out>, val=..., res=...) at js/src/jit/SharedIC.cpp:2021 #22 0x00003f785180ac4b in ?? () #23 0x00007fffffffa728 in ?? () #24 0x00007fffffffa6b8 in ?? () #25 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff4151460 140737288410208 rcx 0x7ffff6c282ad 140737333330605 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffff9240 140737488327232 rsp 0x7fffffff8d10 140737488325904 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4780 140737354024832 r10 0x58 88 r11 0x7ffff6b9e7a0 140737332766624 r12 0x7ffff44920d0 140737291821264 r13 0x0 0 r14 0x7ffff41456b0 140737288361648 r15 0x7ffff5f16000 140737319624704 rip 0xf1b06f <js::jit::RecompileOnStackBaselineScriptsForDebugMode(JSContext*, js::Debugger::ExecutionObservableSet const&, js::Debugger::IsObserving)+9855> => 0xf1b06f <js::jit::RecompileOnStackBaselineScriptsForDebugMode(JSContext*, js::Debugger::ExecutionObservableSet const&, js::Debugger::IsObserving)+9855>: movl $0x0,0x0 0xf1b07a <js::jit::RecompileOnStackBaselineScriptsForDebugMode(JSContext*, js::Debugger::ExecutionObservableSet const&, js::Debugger::IsObserving)+9866>: ud2

Ted can you look at this? Looking at the testcase, maybe the |key in p| is calling the has() trap we define, and that may trigger debug mode OSR.

We are forcing a crash during debug OSR because ICCacheIR_Regular::Clone is not implemented. The MOZ_CRASH is detecting missing code, not bad state so uplift is optional.

Comment on attachment 8949545 [details] Bug 1432764 - Support Debug OSR with CacheIR_Regular ICs on stack https://reviewboard.mozilla.org/r/218896/#review224750 Good find.

Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/73e11d1d7f78 Support Debug OSR with CacheIR_Regular ICs on stack r=jandem