1174542 - Assertion failure: autoWritableJitCodeActive_ != b (AutoWritableJitCode should not be nested.), at js/src/vm/Runtime.h:1404

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision c223b8844264 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

var du = new Debugger();
    du.setupTraceLogger({
        Scripts: true,
    });
for (var i = 0; i < 10000; ++i) {}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000450dba in JSRuntime::toggleAutoWritableJitCodeActive (b=true, this=0x7ffff693c000) at js/src/vm/Runtime.h:1404
#0  0x0000000000450dba in JSRuntime::toggleAutoWritableJitCodeActive (b=true, this=0x7ffff693c000) at js/src/vm/Runtime.h:1404
#1  0x00000000008bdb64 in toggleAutoWritableJitCodeActive (b=true, this=0x7ffff693c000) at js/src/vm/Runtime.h:1405
#2  AutoWritableJitCode (size=4536, addr=0x7ffff7ff2790, rt=0x7ffff693c000, this=0x7fffffffb940) at js/src/jit/JitCompartment.h:573
#3  js::jit::AutoWritableJitCode::AutoWritableJitCode (this=0x7fffffffb940, code=<optimized out>) at js/src/jit/JitCompartment.h:580
#4  0x000000000083d263 in js::jit::BaselineScript::initTraceLogger (this=this@entry=0x7ffff699d400, runtime=<optimized out>, script=0x7ffff7e5e128) at js/src/jit/BaselineJIT.cpp:915
#5  0x00000000008a4ba7 in js::jit::BaselineCompiler::compile (this=this@entry=0x7fffffffbda0) at js/src/jit/BaselineCompiler.cpp:261
#6  0x00000000008a579d in js::jit::BaselineCompile (cx=cx@entry=0x7ffff691b4e0, script=0x7ffff7e5e128, forceDebugInstrumentation=<optimized out>) at js/src/jit/BaselineJIT.cpp:263
#7  0x00000000008a70d9 in CanEnterBaselineJIT (cx=cx@entry=0x7ffff691b4e0, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7ffff47e8038) at js/src/jit/BaselineJIT.cpp:302
#8  0x00000000008a71e2 in js::jit::CanEnterBaselineAtBranch (cx=cx@entry=0x7ffff691b4e0, fp=0x7ffff47e8038, newType=newType@entry=false) at js/src/jit/BaselineJIT.cpp:344
#9  0x000000000067ac6b in Interpret (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:2013
#10 0x0000000000684693 in js::RunScript (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:653
#11 0x000000000068f5de in js::ExecuteKernel (cx=cx@entry=0x7ffff691b4e0, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:888
#12 0x0000000000691821 in js::Execute (cx=cx@entry=0x7ffff691b4e0, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:928
#13 0x0000000000a849a5 in ExecuteScript (cx=cx@entry=0x7ffff691b4e0, obj=..., scriptArg=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4188
#14 0x0000000000a84b6b in JS_ExecuteScript (cx=cx@entry=0x7ffff691b4e0, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4210
#15 0x0000000000426c61 in RunFile (compileOnly=false, file=0x7ffff699a800, filename=0x7fffffffdfd5 "min.js", cx=0x7ffff691b4e0) at js/src/shell/js.cpp:446
#16 Process (cx=cx@entry=0x7ffff691b4e0, filename=0x7fffffffdfd5 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:564
#17 0x0000000000472c5d in ProcessArgs (op=0x7fffffffda50, cx=0x7ffff691b4e0) at js/src/shell/js.cpp:5873
#18 Shell (envp=<optimized out>, op=0x7fffffffda50, cx=0x7ffff691b4e0) at js/src/shell/js.cpp:6142
#19 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6485
rax	0x0	0
rbx	0x7fffffffb940	140737488337216
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffb8e0	140737488337120
rsp	0x7fffffffb8e0	140737488337120
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffb6a0	140737488336544
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff693c000	140737330266112
r13	0x11b8	4536
r14	0x7ffff7ff2790	140737354082192
r15	0x7ffff699d400	140737330664448
rip	0x450dba <JSRuntime::toggleAutoWritableJitCodeActive(bool)+28>
=> 0x450dba <JSRuntime::toggleAutoWritableJitCodeActive(bool)+28>:	movl   $0x57c,0x0
   0x450dc5 <JSRuntime::toggleAutoWritableJitCodeActive(bool)+39>:	callq  0x4941f0 <abort()>


This happens very frequently, marking as fuzzblocker.

Comment 1

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150612010155" and the hash "bf7931710801".
The "bad" changeset has the timestamp "20150612012257" and the hash "b46d6692fe50".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=bf7931710801&tochange=b46d6692fe50

Comment 2

[Jan de Mooij [:jandem]]

Attachment: Patch

I'm pretty sure the AutoWritableJitCode in initTraceLogger was necessary at some point but it no longer is.

Apparently this path is also completely untested so I added the test.

Comment 3

[Christian Holler (:decoder)]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 4

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/79c97ea12fca

Comment 5

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/79c97ea12fca