Closed Bug 1150783 Opened 9 years ago Closed 9 years ago

Assertion failure: !isFakeExitFrame(), at js/src/jit/JitFrames-inl.h:68

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla40
Tracking Status
firefox40 --- fixed

People

(Reporter: dougc, Assigned: nbp)

References

Details

Attachments

(3 files, 1 obsolete file)

Hit this assertion failure doing a stacktrace from an Odin FFI function.
Do you have a testcase or STR?
(In reply to Jan de Mooij [:jandem] from comment #1)
> Do you have a testcase or STR?

No, can't reproduce, so perhaps close.
I will close it for now.

If you are able to reproduce it / attach it in a debugger / collect additional information, feel free to reopen this bug.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
Saw a few more of these failures in an emscripten parallel_test_core.py run on a slightly patched nightly debug shell. This would have run a lot of tests and there were four failures: test_cube2hash (test_core.asm2g), test_freetype (test_core.asm2g), test_memcpy3 (test_core.asm2g), test_poppler (test_core.asm2g). Perhaps with some more data it can be better understood. Trying to reproduce.
Run it again and got a different set of failures: test_cube2hash (test_core.asm2g), test_freetype (test_core.asm2g), test_zlib (test_core.asm2g).
This test example was produced by Emscripten './runner.py asm2g.test_memcpy3'. The memory initialization file has been disabled so the test does not work, but it does crash.

Tested with nightly bddebae866b4, unpatched debug x64 build.

Are you able to reproduce the crash with this test?

Stacktrace:
#0  0x00000000008b2038 in js::jit::JitFrameIterator::exitFrame (this=this@entry=0x7fffffff94a0) at js/src/jit/JitFrames-inl.h:68
#1  0x000000000086694f in js::jit::LazyLinkTopActivation (cx=0x7ffff631b330) at js/src/jit/Ion.cpp:447
#2  0x00007ffff7ff0cc7 in ?? ()
Flags: needinfo?(nicolas.b.pierron)
(In reply to Douglas Crosher [:dougc] from comment #6)
> Are you able to reproduce the crash with this test?

I am able to reproduce it, I'll see if I can make a minimal test case.
Flags: needinfo?(nicolas.b.pierron)
Flags: needinfo?(nicolas.b.pierron)
Status: RESOLVED → REOPENED
Flags: needinfo?(nicolas.b.pierron)
Resolution: INCOMPLETE → ---
Blocks: 1138391
Attached file minimal test case.
This test case fails with the previous assertion when using a debug build, and running the test case with --thread-count=2.
Attachment #8598601 - Attachment is obsolete: true
Attachment #8598601 - Flags: review?(hv1989)
Comment on attachment 8598608 [details] [diff] [review]
Use a special JitFrame to record when LazyLink stubs are on the stack.

Review of attachment 8598608 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/IonCaches.cpp
@@ +476,5 @@
>  GetReturnAddressToIonCode(JSContext* cx)
>  {
>      JitFrameIterator iter(cx);
> +    MOZ_ASSERT(iter.type() == JitFrame_Exit,
> +               "Use VMFunction to call IonCache update functions.");

Can you make the explanation more clear?
Attachment #8598608 - Flags: review?(hv1989) → review+
(In reply to Hannes Verschore [:h4writer] from comment #11)
> Comment on attachment 8598608 [details] [diff] [review]
> Use a special JitFrame to record when LazyLink stubs are on the stack.
> 
> Review of attachment 8598608 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: js/src/jit/IonCaches.cpp
> @@ +476,5 @@
> >  GetReturnAddressToIonCode(JSContext* cx)
> >  {
> >      JitFrameIterator iter(cx);
> > +    MOZ_ASSERT(iter.type() == JitFrame_Exit,
> > +               "Use VMFunction to call IonCache update functions.");
> 
> Can you make the explanation more clear?

This function is only used by the IonCaches update function, which is necessary called with a VMFunction, which implies that we have an Exit frame, and not a LazyLink frame.
https://hg.mozilla.org/mozilla-central/rev/e9e47135019e
Assignee: nobody → nicolas.b.pierron
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.