Closed Bug 1134515 Opened 9 years ago Closed 9 years ago

Assertion failure: entry.isJs(), at vm/SPSProfiler.cpp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla39
Tracking Flags:
Tracking Status
firefox37 --- unaffected
firefox38 --- verified
firefox39 --- verified
firefox-esr31 --- unaffected
firefox-esr38 --- fixed
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-master --- fixed

People

(Reporter: gkw, Assigned: djvj)

References

Details

(4 keywords, Whiteboard: [jsbugmon:][post-critsmash-triage])

Attachments

(2 files, 1 obsolete file)

stack
3.91 KB, text/plain
Details
fix-bug-1134515.patch
775 bytes, patch
shu
: review+
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review 
enableSPSProfiling()
y = new Uint8ClampedArray
x = y
y.valueOf = function() {
    try {
        x == 2
    } catch (e) {}
    evalcx("", this.z)
}
Number(y)

asserts js debug shell on m-c changeset 93ddd99ffd86 with --fuzzing-safe --no-threads --no-ion at Assertion failure: entry.isJs(), at vm/SPSProfiler.cpp.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build -R ~/trees/mozilla-central" -r 93ddd99ffd86

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/635e101ed2be
user:        Kannan Vijayan
date:        Wed Jan 14 16:19:13 2015 -0500
summary:     Bug 1057082 - 3/7 - Modify jits to use lastProfilingFrame and lastProfilingCallSite fields. r=jandem

S-s because this is related to profiling. Kannan, is bug 1057082 a likely regressor?
Flags: needinfo?(kvijayan)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0xe53c7, 0x00000001002bf063 js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::SPSBaselineOSRMarker::SPSBaselineOSRMarker(this=<unavailable>, rt=<unavailable>, hasSPSFrame=<unavailable>, _notifier=<unavailable>) + 275 at SPSProfiler.cpp:365, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001002bf063 js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::SPSBaselineOSRMarker::SPSBaselineOSRMarker(this=<unavailable>, rt=<unavailable>, hasSPSFrame=<unavailable>, _notifier=<unavailable>) + 275 at SPSProfiler.cpp:365
    frame #1: 0x0000000100216a2d js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`Interpret(cx=0x0000000101f01f30, state=0x00007fff5fa03218) + 3949 at Interpreter.cpp:1732
    frame #2: 0x0000000100215a8d js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::RunScript(cx=0x0000000101f01f30, state=0x00007fff5fa03218) + 301 at Interpreter.cpp:444
    frame #3: 0x0000000100204e3d js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`js::Invoke(cx=0x0000000101f01f30, args=CallArgs at 0x00007fff5fa032a0, construct=<unavailable>) + 733 at Interpreter.cpp:513
    frame #4: 0x0000000100101b01 js-dbg-64-dm-nsprBuild-darwin-93ddd99ffd86`IntlInitialize(cx=0x0000000101f01f30, obj=<unavailable>, initializer=<unavailable>, locales=<unavailable>, options=<unavailable>) + 593 at Intl.cpp:417
(lldb)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 993eb76a8bd6).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/cdc1a9758b94
user:        Nicolas B. Pierron
date:        Thu Feb 26 12:18:28 2015 +0100
summary:     Bug 1112164 part 14 - Add types to x86/x64 float registers. r=bbouvier,jandem

This iteration took 197.730 seconds to run.
nbp, is comment 3 a likely fix for this issue?
Flags: needinfo?(nicolas.b.pierron)
(In reply to Christian Holler (:decoder) from comment #4)
> nbp, is comment 3 a likely fix for this issue?

I do not think so.
Flags: needinfo?(nicolas.b.pierron)
Assignee: nobody → kvijayan
Flags: needinfo?(kvijayan)
It turns out that the Invoke function can get called directly from a non-Interpreter context.  I think the only real fix is to make the assert into a conditional, and not do the markOSR in that situation.
Attached patch fix-bug-1134515.patch (obsolete) — Splinter Review 

        Attachment #8575481 -
        Flags: review?(shu)

    
    

    
  
Comment on attachment 8575481 [details] [diff] [review]
fix-bug-1134515.patch

Review of attachment 8575481 [details] [diff] [review]:
-----------------------------------------------------------------

I don't think this is the right fix.

Here's what I see in gdb:

(gdb) p *profiler->size_
$35 = 1091
(gdb) p profiler->max_
$36 = 1000

Something seems wrong here.

        Attachment #8575481 -
        Flags: review?(shu)

    
    

    
  
ISTM these markers need to all check if profiler->size() < profiler->max, else we'd be modifying beyond the end of profiler->stack().

    
    

    
  
So this is actually s-s; don't open.

    
    

    
  
Ah crap.  You're right.  I banged this out a few minutes before my talk yesterday.  Should have taken a closer look.  Thanks for catching that.

    
    

    
  


  
Actual fix.

        Attachment #8575481 -
        Attachment is obsolete: true

        Attachment #8576085 -
        Flags: review?(shu)

    
  

        Attachment #8576085 -
        Flags: review?(shu) → review+

    
    

    
  
https://hg.mozilla.org/integration/mozilla-inbound/rev/2d5eaa85e9da

Setting in-testsuite? for test push later.
Flags: in-testsuite?

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/2d5eaa85e9da

Please nominate this for Aurora approval when you get a chance :)
Status: NEW → RESOLVED
Closed: 9 years ago

          status-firefox37:
          --- → unaffected

          status-firefox39:
          --- → fixed

          status-firefox-esr31:
          --- → unaffected
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Status: RESOLVED → VERIFIED

          status-firefox39:
          fixedverified

    
    

    
  
JSBugMon: This bug has been automatically verified fixed.

    
    

    
  
Comment on attachment 8576085 [details] [diff] [review]
fix-bug-1134515.patch

Approval Request Comment
[Feature/regressing bug #]:
bug 1057082 

[User impact if declined]:
sec-moderate bugs if profiler enabled.

[Describe test coverage new/current, TreeHerder]:
In tree for a month.

[Risks and why]: 
Low risk.

[String/UUID change made/needed]:
N/A

        Attachment #8576085 -
        Flags: approval-mozilla-beta?

    
    

    
  
Comment on attachment 8576085 [details] [diff] [review]
fix-bug-1134515.patch

Should be in 38 beta 4

        Attachment #8576085 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

    
    

    
  
JSBugMon: This bug has been automatically verified fixed on Fx38

    
  
Group: core-security → core-security-release
Whiteboard: [jsbugmon:] → [jsbugmon:][post-critsmash-triage]
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: