Assertion failure: Mismatch between stored lastProfilingFrame and current stack pointer., at js/src/jit/MacroAssembler.cpp:1565

RESOLVED FIXED in Firefox 39

Status

()

--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: decoder, Assigned: djvj)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla39
x86_64
Linux
assertion, regression, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox38 affected, firefox39 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
The following testcase crashes on mozilla-central revision 86d2bb8bb1c9 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2):

for (var idx = 0; idx < 20; ++idx) {
  newFunc("enableSPSProfilingWithSlowAssertions(); disableSPSProfiling();");
}
newFunc("enableSPSProfiling();");
function newFunc(x) { new Function(x)(); };



Backtrace:

Program received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff558713b in ?? ()
#0  0x00007ffff558713b in ?? ()
#1  0x00007ffff5587cd1 in ?? ()
#2  0x0000000000000203 in ?? ()
#3  0x00007ffff565d12a in ?? ()
#4  0x0000000000000000 in ?? ()
rax	0x1	1
rbx	0xfff8800000000014	-2111062325329900
rcx	0xfff9000000000000	-1970324836974592
rdx	0x1a10bd0	27331536
rsi	0x7ffff5591768	140737309644648
rdi	0x1afe3f8	28304376
rbp	0x7fffffffc850	140737488341072
rsp	0x7fffffffc7f0	140737488340976
r8	0x7fffffffc740	140737488340800
r9	0x11	17
r10	0x1afe3f8	28304376
r11	0x7ffff6c3a940	140737333406016
r12	0x8	8
r13	0x7fffffffcab0	140737488341680
r14	0x7ffff565b0c0	140737310470336
r15	0x0	0
rip	0x7ffff558713b	140737309602107
=> 0x7ffff558713b:	mov    0x8(%rsp),%r8
   0x7ffff5587140:	mov    %r8,%r9


I think we had a bug somewhere with a very similar test but I couldn't find it and it also didn't have this assertion as far as I can remember.
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 1

4 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/70a8168c7d24
user:        Kannan Vijayan
date:        Thu Jan 15 20:11:21 2015 -0500
summary:     Bug 1057082 - 3/7 - Modify jits to use lastProfilingFrame and lastProfilingCallSite fields. r=jandem

This iteration took 188.368 seconds to run.
(Reporter)

Comment 2

4 years ago
Needinfo from djvj based on comment 1 :)
Flags: needinfo?(kvijayan)
(Assignee)

Updated

4 years ago
Flags: needinfo?(kvijayan)
QA Contact: kvijayan
Assignee: nobody → kvijayan
QA Contact: kvijayan
(Assignee)

Comment 3

4 years ago
Created attachment 8576159 [details] [diff] [review]
fix-bug-1135703.patch

The problem is that when enabling/disabling the profiler, we don't go through all the JitFrames and set lastProfilingFrame appropriately.  We only set the lastProfilingFrame on the topmost JitFrame.

The test case triggers the issue by turning on profiling, then turning off profiling in the same frame (thereby causing lastProfilingFrame to become stale), and then turning profiling on again in a sub-activation.  When we return from the sub-activation with profiling turned on, the lastProfilingFrame ptr does not match.

Fix is to ensure that all JitActivations have their lastProfilingFrame (and lastProfilingCallSite) properly reset when profiling is turned on or off.
Attachment #8576159 - Flags: review?(shu)

Comment 4

4 years ago
Comment on attachment 8576159 [details] [diff] [review]
fix-bug-1135703.patch

Review of attachment 8576159 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM, thanks for explanation.
Attachment #8576159 - Flags: review?(shu) → review+
(Assignee)

Comment 5

4 years ago
Try run here: https://treeherder.mozilla.org/#/jobs?repo=try&revision=34b16cc3797c

The reds on OSX 10.6 are present in other try builds for other patches, and seems to be a try issue.  Other oranges are SIMD related, and some intermittents.  Waiting until more results finish before pushing.
(Assignee)

Updated

4 years ago
Flags: in-testsuite?
https://hg.mozilla.org/mozilla-central/rev/5e3d56c1c091
https://hg.mozilla.org/mozilla-central/rev/90eccf42027e
Status: NEW → RESOLVED
Last Resolved: 4 years ago
status-firefox39: --- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in before you can comment on or make changes to this bug.