Closed
Bug 1116103
Opened 10 years ago
Closed 9 years ago
Crash [@ js::jit::RecompileOnStackBaselineScriptsForDebugMode] or Assertion failure: needsRecompileInfo() && recompInfo, at jit/BaselineDebugModeOSR.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla37
| Tracking | Status | |
|---|---|---|
| firefox37 | --- | affected |
People
(Reporter: gkw, Assigned: shu)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(3 files)
// Randomly chosen test: js/src/jit-test/tests/debug/bug1001372.js evaluate(` var g = newGlobal(); g.parent = this; g.eval('new Debugger(parent).onExceptionUnwind = function() {};'); `) // Randomly chosen test: js/src/jit-test/tests/ion/bug1070465.js { while (x && 0) {} let x } asserts js debug shell on m-c changeset 8850aa0f5332 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: needsRecompileInfo() && recompInfo, at jit/BaselineDebugModeOSR.cpp. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests === Tinderbox Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20141227095030" and the hash "3f980229dfc1". The "bad" changeset has the timestamp "20141227210313" and the hash "68aa6c741e27". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=3f980229dfc1&tochange=68aa6c741e27 Shu-yu, are any of these bugs likely regressors?
Flags: needinfo?(shu)
|
Reporter | |
Comment 1•10 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x23f256, 0x0000000100201fbc js-dbg-opt-64-dm-nsprBuild-darwin-8850aa0f5332`js::jit::RecompileOnStackBaselineScriptsForDebugMode(JSContext*, js::Debugger::ExecutionObservableSet const&, js::Debugger::IsObserving) [inlined] CloneOldBaselineStub(cx=<unavailable>, entries=0x0000000101c14f10, entryIndex=<unavailable>) + 91 at BaselineDebugModeOSR.cpp:695, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0000000100201fbc js-dbg-opt-64-dm-nsprBuild-darwin-8850aa0f5332`js::jit::RecompileOnStackBaselineScriptsForDebugMode(JSContext*, js::Debugger::ExecutionObservableSet const&, js::Debugger::IsObserving) [inlined] CloneOldBaselineStub(cx=<unavailable>, entries=0x0000000101c14f10, entryIndex=<unavailable>) + 91 at BaselineDebugModeOSR.cpp:695
frame #1: 0x0000000100201f61 js-dbg-opt-64-dm-nsprBuild-darwin-8850aa0f5332`js::jit::RecompileOnStackBaselineScriptsForDebugMode(cx=<unavailable>, obs=<unavailable>, observing=<unavailable>) + 6977 at BaselineDebugModeOSR.cpp:850
frame #2: 0x0000000100623029 js-dbg-opt-64-dm-nsprBuild-darwin-8850aa0f5332`js::Debugger::updateExecutionObservabilityOfFrames(cx=0x0000000101c14f10, obs=0x00007fff5fbfddb8, observing=Observing) + 89 at Debugger.cpp:1831
frame #3: 0x000000010061950a js-dbg-opt-64-dm-nsprBuild-darwin-8850aa0f5332`js::Debugger::ensureExecutionObservabilityOfFrame(cx=0x0000000101c14f10, frame=(ptr_ = 140734799801634)) + 330 at Debugger.cpp:1995
frame #4: 0x00000001006191fc js-dbg-opt-64-dm-nsprBuild-darwin-8850aa0f5332`js::Debugger::getScriptFrameWithIter(this=<unavailable>, cx=0x0000000101c14f10, frame=(ptr_ = 140734799801634), maybeIter=<unavailable>, vp=<unavailable>) + 508 at Debugger.cpp:465
(lldb)|
|
Reporter | |
Comment 2•10 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/6f539847f42c user: Shu-yu Guo date: Sat Dec 27 21:03:13 2014 -0800 summary: Bug 1115847 - Commit correct version of patch from bug 1100337. (r=me)
Blocks: 1115847
|
|
Reporter | |
Comment 3•9 years ago
|
||
This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are: http://hg.mozilla.org/mozilla-central/file/8850aa0f5332/js/src/jit-test/tests/debug/bug1001372.js http://hg.mozilla.org/mozilla-central/file/8850aa0f5332/js/src/jit-test/tests/ion/bug1070465.js
|
Assignee | |
Comment 4•9 years ago
|
||
So, long stroy: I screwed up a push of bug 1100337 way back when, but when I corrected that, that patch had another bug (ugh). Recall that the patch in bug 1100337, for bailing in-place on exceptions, uses a native code addr for the throwing pc instead of looking up ICs, since the pc offset as identified by the SnapshotIter might not have any ICs. In the debug mode OSR code, when patching the stack, we look for pc offset via maybeICEntryFromReturnAddress. Now consider bytecode like: 00027: 8 loopentry 129 00029: 8 checklexical 0 checklexical can throw, and if we bailed out in place, we set the return address as the starting address of 29. Sometime later, we enter the debug mode OSR code. Turns out loopentry has an ICEntry for the warmup counter stuff, so the return-from-IC address of 27 is the *same address* as the starting address of offset 29. For exception handling debug mode OSR, we want to report the offset of 29, since that's what threw, but for non-exception handling, we want to report the offset of 27. To avoid this ambiguity, when handling exceptions, just don't look up IC entries.
Attachment #8542320 -
Flags: review?(jdemooij)
|
|
Reporter | |
Comment 6•9 years ago
|
||
The same testcase crashes opt builds at js::jit::RecompileOnStackBaselineScriptsForDebugMode. Opt configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
|
|
Reporter | |
Comment 7•9 years ago
|
||
Assigning to Shu-yu as he has a patch.
Assignee: nobody → shu
Status: NEW → ASSIGNED
Crash Signature: [@ js::jit::RecompileOnStackBaselineScriptsForDebugMode]
Keywords: crash
Summary: Assertion failure: needsRecompileInfo() && recompInfo, at jit/BaselineDebugModeOSR.cpp → Crash [@ js::jit::RecompileOnStackBaselineScriptsForDebugMode] or Assertion failure: needsRecompileInfo() && recompInfo, at jit/BaselineDebugModeOSR.cpp
|
||
Updated•9 years ago
|
Attachment #8542320 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 8•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/aeac390e496f
|
||
Comment 9•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/aeac390e496f
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
You need to log in
before you can comment on or make changes to this bug.
Description
•