Closed Bug 1111327 Opened 10 years ago Closed 10 years ago

Assertion failure: aIndex < mLength, at dist/include/mozilla/Vector.h

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla37
Tracking Flags:
Tracking Status
firefox34 --- wontfix
firefox35 --- wontfix
firefox36 --- wontfix
firefox37 --- verified
firefox-esr31 --- unaffected

People

(Reporter: gkw, Assigned: luke)

References

Details

(4 keywords, Whiteboard: [adv-main37+])

Attachments

(2 files)

stack
7.52 KB, text/plain
Details
fix
3.30 KB, patch
dougc
: review+
Details | Diff | Splinter Review 
// Randomly chosen test: js/src/jit-test/tests/basic/bug908915.js
enableSPSProfilingWithSlowAssertions();
enableSingleStepProfiling();
// Randomly chosen test: js/src/jit-test/tests/asm.js/testResize.js
function a() {
    f = Function.apply(null, arguments);
}
function b() {
    return f.apply(null, Array.slice(arguments, 1));
}
var m = a("\
    \"use asm\"; \
    function f() {}\
    return f\
")
assertEq(b(m, this)(), undefined);
b(m, this)()

asserts js debug 32-bit ARM-simulator shell on m-c changeset f14dcd1c8c0b with --fuzzing-safe --no-threads --ion-eager at Assertion failure: aIndex < mLength, at dist/include/mozilla/Vector.h.

Debug configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are:

http://hg.mozilla.org/mozilla-central/file/f14dcd1c8c0b/js/src/jit-test/tests/basic/bug908915.js
http://hg.mozilla.org/mozilla-central/file/f14dcd1c8c0b/js/src/jit-test/tests/asm.js/testResize.js

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7797ecb20e4b
user:        Luke Wagner
date:        Tue Jul 29 09:56:21 2014 -0500
summary:     Bug 1040390 - Replace ad hoc methods with JS::ProfilingFrameIterator::label() (r=dougc)

Setting s-s because this seems to involve the SPS profiler.

Luke, is bug 1040390 a likely regressor?
Flags: needinfo?(luke)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0x310581, 0x0014883c js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`mozilla::VectorBase<mozilla::UniquePtr<char, JS::FreePolicy>, 0ul, js::SystemAllocPolicy, js::Vector<mozilla::UniquePtr<char, JS::FreePolicy>, 0ul, js::SystemAllocPolicy> >::operator[](this=<unavailable>, aIndex=<unavailable>) const + 156 at Vector.h:415, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0014883c js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`mozilla::VectorBase<mozilla::UniquePtr<char, JS::FreePolicy>, 0ul, js::SystemAllocPolicy, js::Vector<mozilla::UniquePtr<char, JS::FreePolicy>, 0ul, js::SystemAllocPolicy> >::operator[](this=<unavailable>, aIndex=<unavailable>) const + 156 at Vector.h:415
    frame #1: 0x0009014d js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`js::AsmJSProfilingFrameIterator::label() const [inlined] js::AsmJSModule::CodeRange::functionProfilingLabel(js::AsmJSModule const&) const + 29 at AsmJSModule.h:609
    frame #2: 0x00090130 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`js::AsmJSProfilingFrameIterator::label(this=0xbfffe344) const + 80 at AsmJSFrameIterator.cpp:725
    frame #3: 0x0077fdd7 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`JS::ProfilingFrameIterator::label(this=<unavailable>) const + 39 at Stack.cpp:1749
    frame #4: 0x00016f82 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-f14dcd1c8c0b`SingleStepCallback(arg=0x02041400, sim=0x0280a800, pc=0x04110000) + 194 at js.cpp:4096
(lldb)
Attached patch fixSplinter Review 
Oops; the profilingEnabled_ state gets copied over when cloning modules (it must, b/c the machine code has been patched to match profilingEnabled_) but profilingLabels_ was not duplicated into the destination module.

If functionality was available by default, it'd be s-s, but, as is, it can only be hit when the user has enabled profiling.  I'm not sure whether that qualifies, but probably best to leave hidden.
Assignee: nobody → luke
Status: NEW → ASSIGNED
Flags: needinfo?(luke)
Attachment #8536939 - Flags: review?(dtc-moz)
Attachment #8536939 - Flags: review?(dtc-moz) → review+
https://hg.mozilla.org/mozilla-central/rev/47fdf6370008
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox37: affectedfixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Status: RESOLVED → VERIFIED
status-firefox37: fixedverified
JSBugMon: This bug has been automatically verified fixed.
Whiteboard: [adv-main37+]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: