Closed
Bug 1111251
Opened 9 years ago
Closed 9 years ago
Assertion failure: stack_[i].pc() != nullptr, at vm/SPSProfiler.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla38
Tracking | Status | |
---|---|---|
firefox37 | --- | wontfix |
firefox38 | --- | fixed |
firefox39 | --- | fixed |
firefox40 | --- | verified |
firefox-esr31 | --- | unaffected |
firefox-esr38 | --- | fixed |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | unaffected |
b2g-v2.1S | --- | unaffected |
b2g-v2.2 | --- | wontfix |
b2g-master | --- | fixed |
People
(Reporter: gkw, Assigned: djvj)
References
Details
(4 keywords, Whiteboard: [jsbugmon:testComment=3,origRev=b17e7747d3fb][adv-main38+])
Attachments
(1 file)
1.69 KB,
text/plain
|
Details |
// Randomly chosen test: js/src/jit-test/tests/ion/bug901086.js enableSPSProfiling(); // Randomly chosen test: js/src/jit-test/tests/basic/bug908915.js load("bug908915.js"); and bug908915.js is: for each(let e in newGlobal()) { if (e.name == "disableSPSProfiling") { e() } } (function() { arguments.__proto__.__proto__ = newGlobal() function f(y) { y() } for each(b in (function() {})) { if (b.name == "enableSPSProfiling" || b.name == "enableSPSProfilingWithSlowAssertions" || b.name == "setImmutablePrototype") { f(b) } } })() asserts js debug shell on m-c changeset 5288b15d22de with --fuzzing-safe --no-threads --ion-eager at Assertion failure: stack_[i].pc() != nullptr, at vm/SPSProfiler.cpp. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are: http://hg.mozilla.org/mozilla-central/file/5288b15d22de/js/src/jit-test/tests/ion/bug901086.js http://hg.mozilla.org/mozilla-central/file/5288b15d22de/js/src/jit-test/tests/basic/bug908915.js This also asserts js shells from FTP at: https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-12-11-mozilla-central-debug/jsshell-mac64.zip autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/95144f555ba4 user: Jeff Walden date: Tue Sep 23 13:03:40 2014 -0700 summary: Bug 1052139 - Implement the ability to prevent modifying an extensible object's [[Prototype]]. r=efaust, r=bholley Setting s-s because this seems to involve the SPS profiler. Waldo/Kannan, any idea what's going on here?
Flags: needinfo?(kvijayan)
Flags: needinfo?(jwalden+bmo)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt * thread #1: tid = 0x1f4d7f, 0x00000001006e5b81 js-dbg-opt-64-dm-nsprBuild-darwin-5288b15d22de`js::SPSProfiler::enter(this=<unavailable>, script=<unavailable>, maybeFun=<unavailable>) + 257 at SPSProfiler.cpp:160, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001006e5b81 js-dbg-opt-64-dm-nsprBuild-darwin-5288b15d22de`js::SPSProfiler::enter(this=<unavailable>, script=<unavailable>, maybeFun=<unavailable>) + 257 at SPSProfiler.cpp:160 frame #1: 0x00000001002118b7 js-dbg-opt-64-dm-nsprBuild-darwin-5288b15d22de`js::jit::DoProfilerFallback(cx=0x0000000101d01cf0, frame=0x00007fff5fbfc9b0, stub=0x0000000101b32730) + 279 at BaselineIC.cpp:1100 frame #2: 0x0000000101aedc41 frame #3: 0x00000001049c9ce7 (lldb)
Comment 2•9 years ago
|
||
SPS assertions seems pretty unlikely to be me, I just adjusted code that happens to get called just so. Reflag if the SPS assertions really truly are byproducts of something worse, but I really doubt it.
Flags: needinfo?(jwalden+bmo)
Updated•9 years ago
|
Keywords: sec-moderate
Reporter | ||
Comment 3•9 years ago
|
||
// Randomly chosen test: js/src/jit-test/tests/ion/bug901086.js enableSPSProfiling(); // Randomly chosen test: js/src/jit-test/tests/basic/bug908915.js evaluate("\ for each(let e in newGlobal()) {\ if (e.name == \"disableSPSProfiling\") {\ e()\ }\ }\ (function() {\ arguments.__proto__.__proto__ = newGlobal();\ function f(y) {\ y()\ }\ for each(b in (function() {})) {\ if (b.name == \"enableSPSProfiling\" ||\ b.name == \"enableSPSProfilingWithSlowAssertions\" ||\ b.name == \"setImmutablePrototype\") {\ f(b)\ }\ }\ })()\ ", { compileAndGo: true }) asserts js debug shell on m-c changeset b17e7747d3fb with --fuzzing-safe --no-threads --ion-eager at Assertion failure: stack_[i].pc() != nullptr, at vm/SPSProfiler.cpp. Kannan, re-ping? Massive thanks to :decoder for suggesting how to make this into a single testcase.
Whiteboard: [jsbugmon:update,testComment=3,origRev=b17e7747d3fb]
Assignee | ||
Comment 4•9 years ago
|
||
I've been watching this bug, but given that the patchset in bug 1057082 (ripping out the entire pseudostack infrastructure for jitcode and replacing it with active stack walking) is green on try and under review, I'm hoping that landing that can eliminate this entire class of bugs. How urgent is this, gary?
Flags: needinfo?(kvijayan)
Reporter | ||
Comment 5•9 years ago
|
||
We may need to spot-fix this on branches (if needed) since it is unlikely that we will backport that bug.
Flags: needinfo?(kvijayan)
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,testComment=3,origRev=b17e7747d3fb] → [jsbugmon:update,testComment=3,origRev=b17e7747d3fb,ignore]
Comment 6•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 369a8f14ccf8).
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,testComment=3,origRev=b17e7747d3fb,ignore] → [jsbugmon:testComment=3,origRev=b17e7747d3fb,bisectfix]
Updated•9 years ago
|
Whiteboard: [jsbugmon:testComment=3,origRev=b17e7747d3fb,bisectfix] → [jsbugmon:testComment=3,origRev=b17e7747d3fb]
Comment 7•9 years ago
|
||
JSBugMon: Fix Bisection requested, result: Due to skipped revisions, the first good revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/97c0c777233d user: Kannan Vijayan date: Thu Jan 15 20:11:22 2015 -0500 summary: Bug 1057082 - 6/7 - Modify profiler sampler to use jit stack walking instead of pseudostack. r=jandem r=BenWa changeset: https://hg.mozilla.org/mozilla-central/rev/809520c9cb0a user: Kannan Vijayan date: Thu Jan 15 20:11:22 2015 -0500 summary: Bug 1057082 - 7/7 - Fix tests. r=jandem This iteration took 323.820 seconds to run.
Reporter | ||
Comment 8•9 years ago
|
||
Kannan, I suppose bug 1057082 is a likely fix? We'd probably still need to fix this on branches, do we?
Assignee | ||
Comment 9•9 years ago
|
||
Yeah. We'll need to spot fix this on branches we need it on. Backporting bug 1057082 is not an option.
Flags: needinfo?(kvijayan)
Reporter | ||
Comment 10•9 years ago
|
||
(In reply to Kannan Vijayan [:djvj] from comment #9) > Yeah. We'll need to spot fix this on branches we need it on. Backporting > bug 1057082 is not an option. This is marked fixed on 38 due to bug 1057082 landing on m-c, but setting needinfo? from :djvj for branch patches.
status-firefox38:
--- → fixed
Flags: needinfo?(kvijayan)
Comment 11•9 years ago
|
||
If this regressed on 9/23 then Firefox 35 and 36 should be affected as well, yes?
Flags: needinfo?(gary)
Updated•9 years ago
|
status-firefox36:
--- → ?
Reporter | ||
Comment 12•9 years ago
|
||
Kannan might know better as to which exact branches are affected. (He still has a needinfo request)
Flags: needinfo?(gary)
Assignee | ||
Comment 13•9 years ago
|
||
I'm leaving needinfo on this. I can replicate the issue but I don't know exactly what's causing it. Given that it's a fuzzbug, and it requires some pretty specific conditions to trigger (ion-eager, specific sequences of calls, etc.), and that it doesn't seem to be a sec-high (it's a nullptr issue), I'm prioritizing some other work in front of this.
Assignee | ||
Comment 14•9 years ago
|
||
Just to clarify my response, I'm questioning whether we need to spot fix this at all. It should be rare, only affect cases where we are profiling, is only triggered with --ion-eager situations, is not really an exploit candidate, and should automatically go away once the new profiler implementation works through the uplifts.
Assignee | ||
Comment 15•9 years ago
|
||
Closing with 'fixed'. This bug is fixed. Not really a candidate for uplift given comments 13 and 14.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(kvijayan)
Resolution: --- → FIXED
Updated•9 years ago
|
Status: RESOLVED → VERIFIED
status-firefox40:
--- → verified
Comment 16•9 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•9 years ago
|
status-firefox36:
? → ---
Updated•9 years ago
|
status-firefox-esr31:
--- → unaffected
Whiteboard: [jsbugmon:testComment=3,origRev=b17e7747d3fb] → [jsbugmon:testComment=3,origRev=b17e7747d3fb][adv-main38+]
Updated•9 years ago
|
Assignee: nobody → kvijayan
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → wontfix
status-b2g-master:
--- → fixed
status-firefox-esr38:
--- → fixed
Target Milestone: --- → mozilla38
Updated•9 years ago
|
status-firefox39:
--- → fixed
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•