Closed Bug 1174372 Opened 5 years ago Closed 5 years ago

Assertion failure: pageSize, at jit/ExecutableAllocatorPosix.cpp

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla41
Tracking Status
firefox41 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:])

Attachments

(2 files)

(function(stdlib, foreign, heap) {
    "use asm";
    function f() {}
    return f;
})();

asserts js debug shell on m-c changeset 203e1025a826 with --fuzzing-safe --no-threads --no-baseline --non-writable-jitcode at Assertion failure: pageSize, at jit/ExecutableAllocatorPosix.cpp.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 203e1025a826

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150612010155" and the hash "bf7931710801".
The "bad" changeset has the timestamp "20150612012257" and the hash "b46d6692fe50".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=bf7931710801&tochange=b46d6692fe50

Jan, bug 977805 probably exposed the issue here. Thoughts?
Flags: needinfo?(jdemooij)
Attached file stack
(lldb) bt 5
* thread #1: tid = 0x1862d4, 0x000000010006c2c0 js-dbg-64-dm-nsprBuild-darwin-203e1025a826`js::jit::ExecutableAllocator::reprotectRegion(start=<unavailable>, size=<unavailable>, setting=<unavailable>) + 208 at ExecutableAllocatorPosix.cpp:85, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010006c2c0 js-dbg-64-dm-nsprBuild-darwin-203e1025a826`js::jit::ExecutableAllocator::reprotectRegion(start=<unavailable>, size=<unavailable>, setting=<unavailable>) + 208 at ExecutableAllocatorPosix.cpp:85
    frame #1: 0x000000010013d6f6 js-dbg-64-dm-nsprBuild-darwin-203e1025a826`DynamicallyLinkModule(JSContext*, JS::CallArgs, js::AsmJSModule&) [inlined] js::jit::ExecutableAllocator::makeExecutable(start=<unavailable>, size=<unavailable>) + 8 at ExecutableAllocator.h:389
    frame #2: 0x000000010013d6ee js-dbg-64-dm-nsprBuild-darwin-203e1025a826`DynamicallyLinkModule(cx=<unavailable>, args=CallArgs at 0x00007fff5fbfdc70, module=0x0000000101fc9000) + 7550 at AsmJSLink.cpp:602
    frame #3: 0x00000001000a9a07 js-dbg-64-dm-nsprBuild-darwin-203e1025a826`LinkAsmJS(cx=0x0000000101fa5180, argc=0, vp=0x0000000103a020a8) + 711 at AsmJSLink.cpp:1074
    frame #4: 0x000000010020dcae js-dbg-64-dm-nsprBuild-darwin-203e1025a826`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [inlined] js::CallJSNative(cx=0x0000000101fa5180, native=0x00000001000a9740)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 208 at jscntxtinlines.h:235
(lldb)
This is happening often on most platforms, setting [fuzzblocker].
OS: Mac OS X → All
Hardware: x86_64 → All
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Attached patch PatchSplinter Review
Hm, the problem is that ExecutableAllocator::pageSize is initialized by the constructor, but because of --no-baseline, we never created an ExecutableAllocator.

This patch adds ExecutableAllocator::initStatic and calls it from JS_Init.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8622363 - Flags: review?(luke)
Attachment #8622363 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/306dcef91f59
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Component: JavaScript Engine → JavaScript Engine: JIT
You need to log in before you can comment on or make changes to this bug.