Closed Bug 1026485 Opened 9 years ago Closed 9 years ago

Assertion failure: isJs(), at js/ProfilingStack.h:131

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla33
Tracking Flags:
Tracking Status
firefox33 --- affected

People

(Reporter: decoder, Assigned: djvj)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:])

Attachments

(2 files)

[crash-signature] Machine-readable crash signature
743 bytes, text/plain
Details
fix-bug-1026485.patch
1.35 KB, patch
nbp
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision bb35d1b73634 (run with --fuzzing-safe --ion-eager):


function TestCase(n, d, e, a)
  TestCase.prototype.dump = function () {}
enableSPSProfiling();
new TestCase(typeof Number(new Number()));
new TestCase(typeof Number(new Number(Number.NaN)));
test();
function test() {
    try {
        test();
    } catch (e) {
        new TestCase();
    }
}
status-firefox33: --- → affected
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/2e06119fd268
user:        Kannan Vijayan
date:        Fri May 23 16:13:17 2014 -0400
summary:     Bug 970252 - Ensure that SPS entries are popped for frames that error during bailout. r=jandem

This iteration took 482.923 seconds to run.
Needinfo on djvj based on comment 2 :)
Flags: needinfo?(kvijayan)
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
I tried replicating this on linux 32-bit with both opt and debug, as well as with opt and debug 64-bit, on the specified revision.  No luck reproducing failure.  Can you give me more info about the build config?
Flags: needinfo?(kvijayan) → needinfo?(choller)
One thing that probably makes a difference is that this is a --disable-threadsafe build. Apart from that, it should be a 32 bit debug+opt build, nothing else special.
Flags: needinfo?(choller)
Ah, Debug + opt was the trick here.  I have it replicating now.  Yet another stack mismatch bug, sigh.
Assignee: nobody → kvijayan
This seems to be another instance of "exception thrown when bailing out".  I remember fixing a similar bug to this a while back.  Not sure what new path the fuzzer has found that we're not covering.
Ok, found the corner case.  This happens when we fail an ArgumentCheck in Ion, bail out to Baseline, and then overflow the stack when materializing the baseline frame.

We assume we need to pop the pushed SPS frame that would be forgotten due to the stack overrecursion, but that's not the case in this situation because it was never pushed (since pseudostack pushing happens only after argscheck).
Passes jit-tests.  Running in try: https://tbpl.mozilla.org/?tree=Try&rev=99cafe73a4db
Comment on attachment 8454017 [details] [diff] [review]
fix-bug-1026485.patch

Old try run was busted for some tbpl-related reason.  New try run looks good: https://tbpl.mozilla.org/?tree=Try&rev=d94cc83d9818
Attachment #8454017 - Flags: review?(nicolas.b.pierron)
Comment on attachment 8454017 [details] [diff] [review]
fix-bug-1026485.patch

Review of attachment 8454017 [details] [diff] [review]:
-----------------------------------------------------------------

Do the same for the InvalidationBailout function which is below.
Attachment #8454017 - Flags: review?(nicolas.b.pierron) → review+
Addressed comments, added test case, pushed:

https://hg.mozilla.org/integration/mozilla-inbound/rev/394a87a6450f
https://hg.mozilla.org/mozilla-central/rev/394a87a6450f
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
You need to log in before you can comment on or make changes to this bug.