Closed Bug 1134515 Opened 10 years ago Closed 10 years ago

Assertion failure: entry.isJs(), at vm/SPSProfiler.cpp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla39
Tracking Flags:
Tracking Status
firefox37 --- unaffected
firefox38 --- verified
firefox39 --- verified
firefox-esr31 --- unaffected
firefox-esr38 --- fixed
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-master --- fixed

People

(Reporter: gkw, Assigned: djvj)

References

Details

(4 keywords, Whiteboard: [jsbugmon:][post-critsmash-triage])

Attachments

(2 files, 1 obsolete file)

stack
3.91 KB, text/plain
Details
fix-bug-1134515.patch
775 bytes, patch
shu
: review+
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review
enableSPSProfiling() y = new Uint8ClampedArray x = y y.valueOf = function() { try { x == 2 } catch (e) {} evalcx("", this.z) } Number(y) asserts js debug shell on m-c changeset 93ddd99ffd86 with --fuzzing-safe --no-threads --no-ion at Assertion failure: entry.isJs(), at vm/SPSProfiler.cpp. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build -R ~/trees/mozilla-central" -r 93ddd99ffd86 autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/635e101ed2be user: Kannan Vijayan date: Wed Jan 14 16:19:13 2015 -0500 summary: Bug 1057082 - 3/7 - Modify jits to use lastProfilingFrame and lastProfilingCallSite fields. r=jandem S-s because this is related to profiling. Kannan, is bug 1057082 a likely regressor?
Flags: needinfo?(kvijayan)
Attached file stack
(lldb) bt 5 * thread #1: tid = 0xe53c7, 0x00000001002bf063 js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::SPSBaselineOSRMarker::SPSBaselineOSRMarker(this=<unavailable>, rt=<unavailable>, hasSPSFrame=<unavailable>, _notifier=<unavailable>) + 275 at SPSProfiler.cpp:365, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001002bf063 js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::SPSBaselineOSRMarker::SPSBaselineOSRMarker(this=<unavailable>, rt=<unavailable>, hasSPSFrame=<unavailable>, _notifier=<unavailable>) + 275 at SPSProfiler.cpp:365 frame #1: 0x0000000100216a2d js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`Interpret(cx=0x0000000101f01f30, state=0x00007fff5fa03218) + 3949 at Interpreter.cpp:1732 frame #2: 0x0000000100215a8d js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::RunScript(cx=0x0000000101f01f30, state=0x00007fff5fa03218) + 301 at Interpreter.cpp:444 frame #3: 0x0000000100204e3d js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::Invoke(cx=0x0000000101f01f30, args=CallArgs at 0x00007fff5fa032a0, construct=<unavailable>) + 733 at Interpreter.cpp:513 frame #4: 0x0000000100101b01 js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`IntlInitialize(cx=0x0000000101f01f30, obj=<unavailable>, initializer=<unavailable>, locales=<unavailable>, options=<unavailable>) + 593 at Intl.cpp:417 (lldb)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 993eb76a8bd6).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/cdc1a9758b94 user: Nicolas B. Pierron date: Thu Feb 26 12:18:28 2015 +0100 summary: Bug 1112164 part 14 - Add types to x86/x64 float registers. r=bbouvier,jandem This iteration took 197.730 seconds to run.
nbp, is comment 3 a likely fix for this issue?
Flags: needinfo?(nicolas.b.pierron)
(In reply to Christian Holler (:decoder) from comment #4) > nbp, is comment 3 a likely fix for this issue? I do not think so.
Flags: needinfo?(nicolas.b.pierron)
Assignee: nobody → kvijayan
Flags: needinfo?(kvijayan)
It turns out that the Invoke function can get called directly from a non-Interpreter context. I think the only real fix is to make the assert into a conditional, and not do the markOSR in that situation.
Attached patch fix-bug-1134515.patch (obsolete) — Splinter Review
Attachment #8575481 - Flags: review?(shu)
Comment on attachment 8575481 [details] [diff] [review] fix-bug-1134515.patch Review of attachment 8575481 [details] [diff] [review]: ----------------------------------------------------------------- I don't think this is the right fix. Here's what I see in gdb: (gdb) p *profiler->size_ $35 = 1091 (gdb) p profiler->max_ $36 = 1000 Something seems wrong here.
Attachment #8575481 - Flags: review?(shu)
ISTM these markers need to all check if profiler->size() < profiler->max, else we'd be modifying beyond the end of profiler->stack().
So this is actually s-s; don't open.
Ah crap. You're right. I banged this out a few minutes before my talk yesterday. Should have taken a closer look. Thanks for catching that.
Actual fix.
Attachment #8575481 - Attachment is obsolete: true
Attachment #8576085 - Flags: review?(shu)
Attachment #8576085 - Flags: review?(shu) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/2d5eaa85e9da Setting in-testsuite? for test push later.
Flags: in-testsuite?
https://hg.mozilla.org/mozilla-central/rev/2d5eaa85e9da Please nominate this for Aurora approval when you get a chance :)
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox37: --- → unaffected
status-firefox39: --- → fixed
status-firefox-esr31: --- → unaffected
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Status: RESOLVED → VERIFIED
status-firefox39: fixedverified
JSBugMon: This bug has been automatically verified fixed.
Comment on attachment 8576085 [details] [diff] [review] fix-bug-1134515.patch Approval Request Comment [Feature/regressing bug #]: bug 1057082 [User impact if declined]: sec-moderate bugs if profiler enabled. [Describe test coverage new/current, TreeHerder]: In tree for a month. [Risks and why]: Low risk. [String/UUID change made/needed]: N/A
Attachment #8576085 - Flags: approval-mozilla-beta?
Comment on attachment 8576085 [details] [diff] [review] fix-bug-1134515.patch Should be in 38 beta 4
Attachment #8576085 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
JSBugMon: This bug has been automatically verified fixed on Fx38
Group: core-security → core-security-release
Whiteboard: [jsbugmon:] → [jsbugmon:][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: