Closed Bug 1000225 Opened 10 years ago Closed 6 years ago

Assertion failure: js(), at js/ProfilingStack.h:64 or Crash [@ js::ProfileEntry::setPC]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox31 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:testComment=6,origRev=d7c07694f339])

Crash Data

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
1009 bytes, text/plain
Details 
The following testcase asserts on mozilla-central revision ac376a4e8174 (run with --fuzzing-safe --ion-eager):


arr = [];
arr.watch('length', watcher);
try {
  arr.push(5);
} catch(ex) {
  arr.pop();
}
function watcher(propname, oldval, newval) {
  return (function() {
   var n = 50;
   while (n--) {
     disableSPSProfiling();
     if (!n)
       return;
     enableSPSProfilingAssertions(true);
   }
  })();
}
Crash Signature: [@ js::ProfileEntry::setPC]
status-firefox31: --- → affected
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Kannan / Jan, is this another SPS issue related to bug 970252 or bug 994406?
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/88288ea65ef8
user:        Steve Fink
date:        Mon Apr 01 17:58:37 2013 -0700
summary:     Bug 822041 - Do not copy hasPushedSPSFrame() from heap generator frame. r=luke

This iteration took 81.981 seconds to run.
Needinfo from Steve based on comment 3 :)
Flags: needinfo?(sphink)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision b7062df8c7c3).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
arr = [];
arr.watch('length', watcher);
try {
  arr.push(5);
} catch(ex) {
  arr.pop();
}
function watcher(propname, oldval, newval) {
  return (function() {
   var n = 50;
   while (n--) {
     disableSPSProfiling();
     if (!n)
       return;
     enableSPSProfilingWithSlowAssertions();
   }
  })();
}


Let's try this with JSBugMon :)
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:update,testComment=6,origRev=d7c07694f339]
Whiteboard: [jsbugmon:update,testComment=6,origRev=d7c07694f339] → [jsbugmon:testComment=6,origRev=d7c07694f339]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
I'm assuming this will disappear with djvj's new frame walking stuff. Either that, or it's already gone.
Flags: needinfo?(sphink)
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
Reopening because crash bugs **with testcases** should not be resolved **as WONTFIX** based on queries of crash-stats.  Other resolutions may be appropriate for other reasons.

(Crash signatures are not the same as bug identity; they're merely a search aid to find and group similar crashes.  The bug may still be present, but the signature may have changed slightly, or the bug may even still be present with the same signature but there are simply no recent reports of crashes in that function.)
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
:decoder, is this bug still alive ?
Flags: needinfo?(choller)
I would assume this bug is gone because Array.watch() has been removed.

JSBugMon didn't report this because it couldn't automatically track this bug in the first place for some reason.

Closing as WORKSFORME because we removed the underlying code, but I don't know where.
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Flags: needinfo?(choller)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: