Closed Bug 1107935 Opened 10 years ago Closed 10 years ago

Assertion failure: isJs(), at ../../dist/include/js/ProfilingStack.h:135

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1107525
Tracking Flags:
Tracking Status
firefox37 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:]) 

The following testcase crashes on mozilla-central revision a9fc46355661 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --ion-eager --no-threads):

var g = newGlobal();
g.parent = this;
g.eval("new Debugger(parent).onExceptionUnwind = function () {};");
enableSPSProfiling();
function enterFunc(funcName)
function writeHeaderToLog(string) {}
var BUGNUMBER = 350621;
test();
function test() {
    enterFunc(summary = this, test(BUGNUMBER));
}


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000006acce5 in script (this=<optimized out>) at ../../dist/include/js/ProfilingStack.h:135
135	        MOZ_ASSERT(isJs());
#0  0x00000000006acce5 in script (this=<optimized out>) at ../../dist/include/js/ProfilingStack.h:135
#1  js::SPSProfiler::updatePC (this=<optimized out>, script=<optimized out>, pc=<optimized out>) at js/src/vm/SPSProfiler.h:177
#2  0x000000000067f43a in js::jit::BailoutIonToBaseline (cx=cx@entry=0x19ac2d0, activation=<optimized out>, iter=..., invalidate=invalidate@entry=true, bailoutInfo=bailoutInfo@entry=0x7fffffffb7a0, excInfo=excInfo@entry=0x7fffffffbb00, poppedLastSPSFrameOut=poppedLastSPSFrameOut@entry=0x7fffffffb78f) at js/src/jit/BaselineBailouts.cpp:1544
#3  0x00000000005e2899 in js::jit::ExceptionHandlerBailout (cx=cx@entry=0x19ac2d0, frame=..., rfe=rfe@entry=0x7fffffffc0d8, excInfo=..., overrecursed=overrecursed@entry=0x7fffffffb9e0) at js/src/jit/Bailouts.cpp:201
#4  0x00000000006fee65 in HandleExceptionIon (overrecursed=0x7fffffffb9e0, rfe=0x7fffffffc0d8, frame=..., cx=0x19ac2d0) at js/src/jit/JitFrames.cpp:447
#5  js::jit::HandleException (rfe=0x7fffffffc0d8) at js/src/jit/JitFrames.cpp:745
#6  0x00007ffff7fe821f in ?? ()
#7  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffb4f0	140737488336112
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffb110	140737488335120
rsp	0x7fffffffb110	140737488335120
r8	0x7ffff7fe0780	140737354008448
r9	0x72502f736a2f6564	8237135891209872740
r10	0x7fffffffaed0	140737488334544
r11	0x7ffff6c27960	140737333328224
r12	0x1a292f0	27431664
r13	0xce	206
r14	0xa	10
r15	0x7fffffffb580	140737488336256
rip	0x6acce5 <js::SPSProfiler::updatePC(JSScript*, unsigned char*)+197>
=> 0x6acce5 <js::SPSProfiler::updatePC(JSScript*, unsigned char*)+197>:	movl   $0x7b,0x0
   0x6accf0 <js::SPSProfiler::updatePC(JSScript*, unsigned char*)+208>:	callq  0x404b20 <abort@plt>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Shu-yu, yet another onExceptionUnwind + profiler combination. (filed a few days ago)
Flags: needinfo?(shu)
I confirmed locally that this test case is fixed by bug 1107525. Pretty sure it's a symptom of the same bug.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(shu)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.