Closed Bug 1109009 Opened 5 years ago Closed 5 years ago

Assertion failure: callerFP == (uint8_t*)fp + callsite->stackDepth(), at asmjs/AsmJSFrameIterator.cpp

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla37
Tracking Status
firefox37 --- affected

People

(Reporter: gkw, Assigned: luke)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

gczeal(14);
dis = function() {};
disassemble = function() {};
dumpObject = function() {};
dumpHeapComplete = function() {};
help = function() {};
// Randomly chosen test: js/src/jit-test/tests/basic/bug908915.js
try {
    for each(let e in newGlobal()) {
        if (e.name === "quit" || e.name == "readline" || e.name == "terminate" || e.name == "dis" ||
            e.name == "dumpHeapComplete" || e.name == "dumpObject" || e.name == "wrapWithProto" ||
            e.name == "help" || e.name == "backtrace" || e.name == "stackDump" ||
            e.name == "nestedShell")
            continue;
        try {
            e();
        } catch (r) {}
    }
} catch (e) {}
// Randomly chosen test: js/src/jit-test/tests/asm.js/testTimeout4.js
const USE_ASM = '"use asm";';

function asmCompile() {
    var f = Function.apply(null, arguments);
    return f;
}

function asmLink(f) {
    var ret = f.apply(null, Array.slice(arguments, 1));
    return ret;
}
var g = asmLink(asmCompile(USE_ASM + "function f(d) { d=+d; d=d*.1; d=d/.4; return +d } \
                                      function g() { while(1) { +f(1.1) } } return g"));
timeout(0.01);
g();
// jsfunfuzz
// -- reduced away --

asserts js debug shell on m-c changeset f1f48ccb2d4e with --fuzzing-safe --no-threads --ion-eager at Assertion failure: callerFP == (uint8_t*)fp + callsite->stackDepth(), at asmjs/AsmJSFrameIterator.cpp.

Debug configure options:

CC="gcc -m32 -msse2 -mfpmath=sse" CXX="g++ -m32 -msse2 -mfpmath=sse" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh /home/fuzz2lin/trees/mozilla-central/js/src/configure --target=i686-pc-linux --enable-arm-simulator --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are:

http://hg.mozilla.org/mozilla-central/file/f1f48ccb2d4e/js/src/jit-test/tests/basic/bug908915.js
http://hg.mozilla.org/mozilla-central/file/f1f48ccb2d4e/js/src/jit-test/tests/asm.js/testTimeout4.js

This happens once every 30-40 times. Setting needinfo? from :bbouvier as a start, since this involves asm.js.
Flags: needinfo?(benj)
Attached file stack
(gdb) bt 5
#0  0x081354f0 in AssertMatchesCallSite (module=..., calleeCodeRange=0x9cfa8b8, callerPC=0xf77230b0, callerFP=0xf7724088, fp=0xf5ffee00)
    at /home/fuzz2lin/trees/mozilla-central/js/src/asmjs/AsmJSFrameIterator.cpp:425
#1  0x081358bc in js::AsmJSProfilingFrameIterator::AsmJSProfilingFrameIterator (this=0xffa54244, activation=..., state=...) at /home/fuzz2lin/trees/mozilla-central/js/src/asmjs/AsmJSFrameIterator.cpp:585
#2  0x086dde77 in JS::ProfilingFrameIterator::iteratorConstruct (this=0xffa54240, state=...) at /home/fuzz2lin/trees/mozilla-central/js/src/vm/Stack.cpp:1704
#3  0x086de176 in JS::ProfilingFrameIterator::ProfilingFrameIterator (this=0xffa54240, rt=0x9c9b538, state=...) at /home/fuzz2lin/trees/mozilla-central/js/src/vm/Stack.cpp:1664
#4  0x080bedbd in SingleStepCallback (arg=0x9c9b538, sim=0x9caff38, pc=0xf7724084) at /home/fuzz2lin/trees/mozilla-central/js/src/shell/js.cpp:4113
(More stack frames follow...)
(gdb)
Can't reproduce, even intermittently, on my machine (32bits with ARM simulator gczeal-enabled build, with --no-threads --ion-eager at runtime, run 50 times). gczeal(14) at the beginning seems to point out to a GC bug, but not sure about that.
Flags: needinfo?(benj)
Fortunately, I can reproduce.
Assignee: nobody → luke
Attached patch fix-profilingSplinter Review
Hah, this test case hits a pretty unlikely profiler corner case: on ARM/MIPS there is a single instruction wherein sp has been incremented but activation.fp still points to the current frame.  sp protects the stack frame from clobber by asynchronous signal handlers (including, in this case, the async interrupt exit), so we can't bump sp until activation.fp is repointed to the caller fp.  Unfortunately, this requires adding another case to the epilogue unwinding.  x86 doesn't have this problem because the pop insn both pops the stack and updates activation.fp.
Attachment #8533828 - Flags: review?(dtc-moz)
Attachment #8533828 - Flags: review?(dtc-moz) → review+
https://hg.mozilla.org/mozilla-central/rev/5d39b220aa02
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
You need to log in before you can comment on or make changes to this bug.