Closed
Bug 1135703
Opened 9 years ago
Closed 9 years ago
Assertion failure: Mismatch between stored lastProfilingFrame and current stack pointer., at js/src/jit/MacroAssembler.cpp:1565
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla39
People
(Reporter: decoder, Assigned: djvj)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
2.85 KB,
patch
|
shu
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 86d2bb8bb1c9 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2): for (var idx = 0; idx < 20; ++idx) { newFunc("enableSPSProfilingWithSlowAssertions(); disableSPSProfiling();"); } newFunc("enableSPSProfiling();"); function newFunc(x) { new Function(x)(); }; Backtrace: Program received signal SIGTRAP, Trace/breakpoint trap. 0x00007ffff558713b in ?? () #0 0x00007ffff558713b in ?? () #1 0x00007ffff5587cd1 in ?? () #2 0x0000000000000203 in ?? () #3 0x00007ffff565d12a in ?? () #4 0x0000000000000000 in ?? () rax 0x1 1 rbx 0xfff8800000000014 -2111062325329900 rcx 0xfff9000000000000 -1970324836974592 rdx 0x1a10bd0 27331536 rsi 0x7ffff5591768 140737309644648 rdi 0x1afe3f8 28304376 rbp 0x7fffffffc850 140737488341072 rsp 0x7fffffffc7f0 140737488340976 r8 0x7fffffffc740 140737488340800 r9 0x11 17 r10 0x1afe3f8 28304376 r11 0x7ffff6c3a940 140737333406016 r12 0x8 8 r13 0x7fffffffcab0 140737488341680 r14 0x7ffff565b0c0 140737310470336 r15 0x0 0 rip 0x7ffff558713b 140737309602107 => 0x7ffff558713b: mov 0x8(%rsp),%r8 0x7ffff5587140: mov %r8,%r9 I think we had a bug somewhere with a very similar test but I couldn't find it and it also didn't have this assertion as far as I can remember.
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/70a8168c7d24 user: Kannan Vijayan date: Thu Jan 15 20:11:21 2015 -0500 summary: Bug 1057082 - 3/7 - Modify jits to use lastProfilingFrame and lastProfilingCallSite fields. r=jandem This iteration took 188.368 seconds to run.
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(kvijayan)
QA Contact: kvijayan
Updated•9 years ago
|
Assignee: nobody → kvijayan
QA Contact: kvijayan
Assignee | ||
Comment 3•9 years ago
|
||
The problem is that when enabling/disabling the profiler, we don't go through all the JitFrames and set lastProfilingFrame appropriately. We only set the lastProfilingFrame on the topmost JitFrame. The test case triggers the issue by turning on profiling, then turning off profiling in the same frame (thereby causing lastProfilingFrame to become stale), and then turning profiling on again in a sub-activation. When we return from the sub-activation with profiling turned on, the lastProfilingFrame ptr does not match. Fix is to ensure that all JitActivations have their lastProfilingFrame (and lastProfilingCallSite) properly reset when profiling is turned on or off.
Attachment #8576159 -
Flags: review?(shu)
Comment 4•9 years ago
|
||
Comment on attachment 8576159 [details] [diff] [review] fix-bug-1135703.patch Review of attachment 8576159 [details] [diff] [review]: ----------------------------------------------------------------- LGTM, thanks for explanation.
Attachment #8576159 -
Flags: review?(shu) → review+
Assignee | ||
Comment 5•9 years ago
|
||
Try run here: https://treeherder.mozilla.org/#/jobs?repo=try&revision=34b16cc3797c The reds on OSX 10.6 are present in other try builds for other patches, and seems to be a try issue. Other oranges are SIMD related, and some intermittents. Waiting until more results finish before pushing.
Assignee | ||
Comment 6•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/5e3d56c1c091 https://hg.mozilla.org/integration/mozilla-inbound/rev/90eccf42027e
Flags: in-testsuite?
Assignee | ||
Updated•9 years ago
|
Flags: in-testsuite?
Comment 7•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/5e3d56c1c091 https://hg.mozilla.org/mozilla-central/rev/90eccf42027e
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox39:
--- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in
before you can comment on or make changes to this bug.
Description
•