1026485 - Assertion failure: isJs(), at js/ProfilingStack.h:131

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision bb35d1b73634 (run with --fuzzing-safe --ion-eager):


function TestCase(n, d, e, a)
  TestCase.prototype.dump = function () {}
enableSPSProfiling();
new TestCase(typeof Number(new Number()));
new TestCase(typeof Number(new Number(Number.NaN)));
test();
function test() {
    try {
        test();
    } catch (e) {
        new TestCase();
    }
}

Comment 1

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/2e06119fd268
user:        Kannan Vijayan
date:        Fri May 23 16:13:17 2014 -0400
summary:     Bug 970252 - Ensure that SPS entries are popped for frames that error during bailout. r=jandem

This iteration took 482.923 seconds to run.

Comment 3

[Christian Holler (:decoder)]

Needinfo on djvj based on comment 2 :)

Comment 4

[Christian Holler (:decoder)]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 5

[Kannan Vijayan [:djvj]]

I tried replicating this on linux 32-bit with both opt and debug, as well as with opt and debug 64-bit, on the specified revision.  No luck reproducing failure.  Can you give me more info about the build config?

Comment 6

[Christian Holler (:decoder)]

One thing that probably makes a difference is that this is a --disable-threadsafe build. Apart from that, it should be a 32 bit debug+opt build, nothing else special.

Comment 7

[Kannan Vijayan [:djvj]]

Ah, Debug + opt was the trick here.  I have it replicating now.  Yet another stack mismatch bug, sigh.

Comment 8

[Kannan Vijayan [:djvj]]

This seems to be another instance of "exception thrown when bailing out".  I remember fixing a similar bug to this a while back.  Not sure what new path the fuzzer has found that we're not covering.

Comment 9

[Kannan Vijayan [:djvj]]

Ok, found the corner case.  This happens when we fail an ArgumentCheck in Ion, bail out to Baseline, and then overflow the stack when materializing the baseline frame.

We assume we need to pop the pushed SPS frame that would be forgotten due to the stack overrecursion, but that's not the case in this situation because it was never pushed (since pseudostack pushing happens only after argscheck).

Comment 10

[Kannan Vijayan [:djvj]]

Attachment: fix-bug-1026485.patch

Passes jit-tests.  Running in try: https://tbpl.mozilla.org/?tree=Try&rev=99cafe73a4db

Comment 11

[Kannan Vijayan [:djvj]]

Comment on attachment 8454017 [details] [diff] [review]
fix-bug-1026485.patch

Old try run was busted for some tbpl-related reason.  New try run looks good: https://tbpl.mozilla.org/?tree=Try&rev=d94cc83d9818

Comment 12

[Nicolas B. Pierron [:nbp]]

Comment on attachment 8454017 [details] [diff] [review]
fix-bug-1026485.patch

Review of attachment 8454017 [details] [diff] [review]:
-----------------------------------------------------------------

Do the same for the InvalidationBailout function which is below.

Comment 13

[Kannan Vijayan [:djvj]]

Addressed comments, added test case, pushed:

https://hg.mozilla.org/integration/mozilla-inbound/rev/394a87a6450f

Comment 14

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/394a87a6450f