1107525 - Assertion failure: stack_[*size_].isJs(), at js/src/vm/SPSProfiler.cpp:192 or Crash on Heap

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision a9fc46355661 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off):

enableSPSProfiling();
var g = newGlobal();
g.parent = this;
g.eval("new Debugger(parent).onExceptionUnwind = function () { hits++; };");
function f() {
    var x = f();
}
f();


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a6487b in js::SPSProfiler::exit (this=0x1990560, script=0x7ffff5961280, maybeFun=<optimized out>) at js/src/vm/SPSProfiler.cpp:192
192	        MOZ_ASSERT(stack_[*size_].isJs());
#0  0x0000000000a6487b in js::SPSProfiler::exit (this=0x1990560, script=0x7ffff5961280, maybeFun=<optimized out>) at js/src/vm/SPSProfiler.cpp:192
#1  0x00000000006ff5a5 in ExitScript (popSPSFrame=<optimized out>, maybeFun=<optimized out>, script=<optimized out>, cx=0x19ac2d0) at js/src/vm/Probes-inl.h:77
#2  js::jit::HandleException (rfe=0x7ffffffd4200) at js/src/jit/JitFrames.cpp:811
#3  0x00007ffff7fe821f in ?? ()
#4  0x0000000000000008 in ?? ()
#5  0x00007ffffffd4200 in ?? ()
#6  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x1990560	26805600
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7ffffffd3a90	140737488173712
rsp	0x7ffffffd3a50	140737488173648
r8	0x7ffff7fe0780	140737354008448
r9	0x72746e65632d616c	8247338199356891500
r10	0x7ffffffd3810	140737488173072
r11	0x7ffff6c27960	140737333328224
r12	0x195d350	26596176
r13	0x7ffff5961280	140737313641088
r14	0x7ffff6f79868	140737336809576
r15	0xffffffffffffffe8	-24
rip	0xa6487b <js::SPSProfiler::exit(JSScript*, JSFunction*)+571>
=> 0xa6487b <js::SPSProfiler::exit(JSScript*, JSFunction*)+571>:	movl   $0x7b,0x0
   0xa64886 <js::SPSProfiler::exit(JSScript*, JSFunction*)+582>:	callq  0x404b20 <abort@plt>

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

While waiting for autoBisect's result, this seems to involve onExceptionUnwind, and so cc'ing Shu-yu as a start. :)

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b160657339f8
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:39 2014 -0800
summary:     Bug 1032869 - Part 2: Move debuggee-ness to frames and selectively deoptimize when Debugger needs to observe execution. (r=jimb)

changeset:   https://hg.mozilla.org/mozilla-central/rev/bb2f13ba7b1c
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:40 2014 -0800
summary:     Bug 1062629 - Off-thread compartment debug mode should match main thread compartment debug mode. (r=jimb)

changeset:   https://hg.mozilla.org/mozilla-central/rev/1176cc3c3b34
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:40 2014 -0800
summary:     Bug 1063328 - Fix on-stack live iterator handling when bailing out in-place due to debug mode OSR. (r=jandem)

changeset:   https://hg.mozilla.org/mozilla-central/rev/f8e316fa65bb
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:40 2014 -0800
summary:     Bug 1063330 - Remove the JS shell's evalInFrame. (r=jimb)

changeset:   https://hg.mozilla.org/mozilla-central/rev/96a2f59f6ce4
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:40 2014 -0800
summary:     Bug 1032869 - Part 3: Don't consider onExceptionUnwind an all-execution-observing hook. (r=jandem)

changeset:   https://hg.mozilla.org/mozilla-central/rev/06d07689a043
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:41 2014 -0800
summary:     Bug 1032869 - Part 4: Add an auto-updated DebugModeOSRVolatileJitFrameIterator. (r=jandem)


Shu-yu, are any of these bugs potential regressors?

Comment 4

[Shu-yu Guo [:shu]]

Attachment: Fix corner case of in-place debug mode bailout and SPS pseudo frame popping.

Kannan's going to love this: when corner cases collide between SPS balance and
in-place exception propagation by bailing out from Ion->Baseline for Debugger.

Comment 5

[Shu-yu Guo [:shu]]

remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/c8adfe4f5995

Comment 7

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

This apparently busted (only) the ARM simulator build, so backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/78483a3e7b51

https://treeherder.mozilla.org/ui/logviewer.html#?job_id=4441651&repo=mozilla-inbound

Comment 8

[Shu-yu Guo [:shu]]

Attachment: Fix corner case of in-place debug mode bailout and SPS pseudo frame popping.

I completely misdiagnosed the bug the first time around -- we are double
popping an SPS entry due to the bailout process itself erroring out due to
overrecursion.

Comment 9

[Jan de Mooij [:jandem]]

Comment on attachment 8533465 [details] [diff] [review]
Fix corner case of in-place debug mode bailout and SPS pseudo frame popping.

Review of attachment 8533465 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/JitFrames.cpp
@@ +733,5 @@
>      // on-stack recompilation occur.
>      DebugModeOSRVolatileJitFrameIterator iter(cx);
>      while (!iter.isEntry()) {
>          bool overrecursed = false;
> +        bool poppedLastSPSFrame = false;

Nit: can we move this line to before the HandleExceptionIon call?

Comment 10

[Shu-yu Guo [:shu]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/170231ba4950

Comment 11

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/170231ba4950

Comment 12

[Ryan VanderMeulen [:RyanVM]]

Fixed for Fx36 by the roll-up in bug 1114757.