Closed Bug 1111251 Opened 9 years ago Closed 9 years ago

Assertion failure: stack_[i].pc() != nullptr, at vm/SPSProfiler.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla38
Tracking Status
firefox37 --- wontfix
firefox38 --- fixed
firefox39 --- fixed
firefox40 --- verified
firefox-esr31 --- unaffected
firefox-esr38 --- fixed
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- wontfix
b2g-master --- fixed

People

(Reporter: gkw, Assigned: djvj)

References

Details

(4 keywords, Whiteboard: [jsbugmon:testComment=3,origRev=b17e7747d3fb][adv-main38+])

Attachments

(1 file)

// Randomly chosen test: js/src/jit-test/tests/ion/bug901086.js
enableSPSProfiling();
// Randomly chosen test: js/src/jit-test/tests/basic/bug908915.js
load("bug908915.js");

and bug908915.js is:

for each(let e in newGlobal()) {
    if (e.name == "disableSPSProfiling") {
        e()
    }
}
(function() {
    arguments.__proto__.__proto__ = newGlobal()
    function f(y) {
        y()
    }
    for each(b in (function() {})) {
        if (b.name == "enableSPSProfiling" ||
            b.name == "enableSPSProfilingWithSlowAssertions" ||
            b.name == "setImmutablePrototype") {
            f(b)
        }
    }
})()


asserts js debug shell on m-c changeset 5288b15d22de with --fuzzing-safe --no-threads --ion-eager at Assertion failure: stack_[i].pc() != nullptr, at vm/SPSProfiler.cpp.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are:

http://hg.mozilla.org/mozilla-central/file/5288b15d22de/js/src/jit-test/tests/ion/bug901086.js
http://hg.mozilla.org/mozilla-central/file/5288b15d22de/js/src/jit-test/tests/basic/bug908915.js

This also asserts js shells from FTP at:

https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-12-11-mozilla-central-debug/jsshell-mac64.zip

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/95144f555ba4
user:        Jeff Walden
date:        Tue Sep 23 13:03:40 2014 -0700
summary:     Bug 1052139 - Implement the ability to prevent modifying an extensible object's [[Prototype]].  r=efaust, r=bholley

Setting s-s because this seems to involve the SPS profiler.

Waldo/Kannan, any idea what's going on here?
Flags: needinfo?(kvijayan)
Flags: needinfo?(jwalden+bmo)
Attached file stack
(lldb) bt
* thread #1: tid = 0x1f4d7f, 0x00000001006e5b81 js-dbg-opt-64-dm-nsprBuild-darwin-5288b15d22de`js::SPSProfiler::enter(this=<unavailable>, script=<unavailable>, maybeFun=<unavailable>) + 257 at SPSProfiler.cpp:160, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001006e5b81 js-dbg-opt-64-dm-nsprBuild-darwin-5288b15d22de`js::SPSProfiler::enter(this=<unavailable>, script=<unavailable>, maybeFun=<unavailable>) + 257 at SPSProfiler.cpp:160
    frame #1: 0x00000001002118b7 js-dbg-opt-64-dm-nsprBuild-darwin-5288b15d22de`js::jit::DoProfilerFallback(cx=0x0000000101d01cf0, frame=0x00007fff5fbfc9b0, stub=0x0000000101b32730) + 279 at BaselineIC.cpp:1100
    frame #2: 0x0000000101aedc41
    frame #3: 0x00000001049c9ce7
(lldb)
SPS assertions seems pretty unlikely to be me, I just adjusted code that happens to get called just so.  Reflag if the SPS assertions really truly are byproducts of something worse, but I really doubt it.
Flags: needinfo?(jwalden+bmo)
// Randomly chosen test: js/src/jit-test/tests/ion/bug901086.js
enableSPSProfiling();
// Randomly chosen test: js/src/jit-test/tests/basic/bug908915.js
evaluate("\
    for each(let e in newGlobal()) {\
        if (e.name == \"disableSPSProfiling\") {\
            e()\
        }\
    }\
    (function() {\
        arguments.__proto__.__proto__ = newGlobal();\
        function f(y) {\
            y()\
        }\
        for each(b in (function() {})) {\
            if (b.name == \"enableSPSProfiling\" ||\
                b.name == \"enableSPSProfilingWithSlowAssertions\" ||\
                b.name == \"setImmutablePrototype\") {\
                f(b)\
            }\
        }\
    })()\
", {
    compileAndGo: true
})

asserts js debug shell on m-c changeset b17e7747d3fb with --fuzzing-safe --no-threads --ion-eager at Assertion failure: stack_[i].pc() != nullptr, at vm/SPSProfiler.cpp.

Kannan, re-ping?

Massive thanks to :decoder for suggesting how to make this into a single testcase.
Whiteboard: [jsbugmon:update,testComment=3,origRev=b17e7747d3fb]
I've been watching this bug, but given that the patchset in bug 1057082 (ripping out the entire pseudostack infrastructure for jitcode and replacing it with active stack walking) is green on try and under review, I'm hoping that landing that can eliminate this entire class of bugs.

How urgent is this, gary?
Flags: needinfo?(kvijayan)
We may need to spot-fix this on branches (if needed) since it is unlikely that we will backport that bug.
Flags: needinfo?(kvijayan)
Whiteboard: [jsbugmon:update,testComment=3,origRev=b17e7747d3fb] → [jsbugmon:update,testComment=3,origRev=b17e7747d3fb,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 369a8f14ccf8).
Whiteboard: [jsbugmon:update,testComment=3,origRev=b17e7747d3fb,ignore] → [jsbugmon:testComment=3,origRev=b17e7747d3fb,bisectfix]
Whiteboard: [jsbugmon:testComment=3,origRev=b17e7747d3fb,bisectfix] → [jsbugmon:testComment=3,origRev=b17e7747d3fb]
JSBugMon: Fix Bisection requested, result:
Due to skipped revisions, the first good revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/97c0c777233d
user:        Kannan Vijayan
date:        Thu Jan 15 20:11:22 2015 -0500
summary:     Bug 1057082 - 6/7 - Modify profiler sampler to use jit stack walking instead of pseudostack. r=jandem r=BenWa

changeset:   https://hg.mozilla.org/mozilla-central/rev/809520c9cb0a
user:        Kannan Vijayan
date:        Thu Jan 15 20:11:22 2015 -0500
summary:     Bug 1057082 - 7/7 - Fix tests. r=jandem

This iteration took 323.820 seconds to run.
Kannan, I suppose bug 1057082 is a likely fix? We'd probably still need to fix this on branches, do we?
Yeah.  We'll need to spot fix this on branches we need it on.  Backporting bug 1057082 is not an option.
Flags: needinfo?(kvijayan)
(In reply to Kannan Vijayan [:djvj] from comment #9)
> Yeah.  We'll need to spot fix this on branches we need it on.  Backporting
> bug 1057082 is not an option.

This is marked fixed on 38 due to bug 1057082 landing on m-c, but setting needinfo? from :djvj for branch patches.
Flags: needinfo?(kvijayan)
If this regressed on 9/23 then Firefox 35 and 36 should be affected as well, yes?
Flags: needinfo?(gary)
Kannan might know better as to which exact branches are affected. (He still has a needinfo request)
Flags: needinfo?(gary)
I'm leaving needinfo on this.  I can replicate the issue but I don't know exactly what's causing it.  Given that it's a fuzzbug, and it requires some pretty specific conditions to trigger (ion-eager, specific sequences of calls, etc.), and that it doesn't seem to be a sec-high (it's a nullptr issue), I'm prioritizing some other work in front of this.
Just to clarify my response, I'm questioning whether we need to spot fix this at all.  It should be rare, only affect cases where we are profiling, is only triggered with --ion-eager situations, is not really an exploit candidate, and should automatically go away once the new profiler implementation works through the uplifts.
Closing with 'fixed'.  This bug is fixed.  Not really a candidate for uplift given comments 13 and 14.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(kvijayan)
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Whiteboard: [jsbugmon:testComment=3,origRev=b17e7747d3fb] → [jsbugmon:testComment=3,origRev=b17e7747d3fb][adv-main38+]
Assignee: nobody → kvijayan
Target Milestone: --- → mozilla38
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.