1282743 - Assertion failure: hasPayload(), at js/src/vm/TraceLogging.h:111 with Debugger

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 0e3f8401b804 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

du = new Debugger();
du.setupTraceLogger({Scripts: true});
for (var idx = 0; idx < 100; idx++) {
  oomTest(function() {
      m = parseModule("x");
      m.declarationInstantiation();
      m.evaluation();
  })
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x000000000065786f in js::TraceLoggerEvent::payload (this=<optimized out>) at js/src/vm/TraceLogging.h:111
#0  0x000000000065786f in js::TraceLoggerEvent::payload (this=<optimized out>) at js/src/vm/TraceLogging.h:111
#1  js::jit::CodeGenerator::link (this=this@entry=0x7ffff2c5d000, cx=cx@entry=0x7ffff6965000, constraints=<optimized out>) at js/src/jit/CodeGenerator.cpp:9358
#2  0x000000000067b06a in LinkCodeGen (cx=cx@entry=0x7ffff6965000, builder=builder@entry=0x7ffff2c3c1d0, codegen=codegen@entry=0x7ffff2c5d000) at js/src/jit/Ion.cpp:515
#3  0x00000000006e9777 in js::jit::IonCompile (cx=cx@entry=0x7ffff6965000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x0, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2273
#4  0x00000000006e9e39 in js::jit::Compile (cx=cx@entry=0x7ffff6965000, script=script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2432
#5  0x00000000006ea046 in js::jit::CanEnter (cx=cx@entry=0x7ffff6965000, state=...) at js/src/jit/Ion.cpp:2524
#6  0x0000000000ae7f29 in js::RunScript (cx=cx@entry=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:374
#7  0x0000000000aea70b in js::ExecuteKernel (cx=cx@entry=0x7ffff6965000, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffbe38) at js/src/vm/Interpreter.cpp:676
#8  0x0000000000aead48 in js::Execute (cx=cx@entry=0x7ffff6965000, script=..., script@entry=..., scopeChainArg=..., rval=rval@entry=0x7fffffffbe38) at js/src/vm/Interpreter.cpp:709
#9  0x0000000000a1f514 in js::ModuleObject::evaluate (cx=cx@entry=0x7ffff6965000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:908
#10 0x0000000000b384e4 in intrinsic_EvaluateModule (cx=0x7ffff6965000, argc=<optimized out>, vp=0x7fffffffbe38) at js/src/vm/SelfHosting.cpp:2175
#11 0x00007ffff7fb80c9 in ?? ()
[...]
#14 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffb550	140737488336208
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffb6c0	140737488336576
rsp	0x7fffffffb490	140737488336016
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fdc740	140737353992000
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7fffffffb520	140737488336160
r13	0x7fffffffb590	140737488336272
r14	0x7ffff2c5d000	140737266438144
r15	0x7ffff2b01190	140737265013136
rip	0x65786f <js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*)+2415>
=> 0x65786f <js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*)+2415>:	movl   $0x0,0x0
   0x65787a <js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*)+2426>:	ud2

Comment 1

[Benjamin Bouvier [:bbouvier] (inactive)]

Probably a dup of the one found by gkw.

Comment 2

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7a942a270777
user:        Hannes Verschore
date:        Tue Jun 21 13:52:11 2016 +0200
summary:     Bug 1280648 - Tracelogger: Don't cache based on pointers to movable gc things, r=bbouvier

This iteration took 231.491 seconds to run.

Comment 3

[Hannes Verschore [:h4writer]]

Attachment: Patch

The issue dates before bug 1280648, but since JSScript were cached, couldn't happen during compilation. We already had a textId and couldn't fail. Now we do create one and as a result can testable fail. Like this bug shows

Two fixes here:
1) If event.payload() is empty, we failed to create a payload. TraceLogStartEvent handles this case, but since in ion this is custom code, we need to check it here.

2) In assembly test if the "logger" is empty, which means there was an error and skip calling the trace code.

Comment 5

[Benjamin Bouvier [:bbouvier] (inactive)]

Comment on attachment 8766911 [details] [diff] [review]
Patch

Review of attachment 8766911 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks.

::: js/src/jit-test/tests/ion/bug1282743.js
@@ +1,5 @@
> +
> +du = new Debugger();
> +du.setupTraceLogger({Scripts: true});
> +for (var idx = 0; idx < 1; idx++) {
> +  oomTest(function() {

Guards for oomTest? Debugger? Debugger.setupTraceLogger?

::: js/src/jit/IonCode.h
@@ +437,5 @@
>          return hasProfilingInstrumentation_;
>      }
>      MOZ_MUST_USE bool addTraceLoggerEvent(TraceLoggerEvent& event) {
> +        if (!event.hasPayload())
> +            return false;

It feels weird to have this here, as this check doesn't relate to adding the event to the array of tracelogger events. There are only 2 callers to this function, can you hoist up this check please?

Comment 6

[Pulsebot]

Pushed by hv1989@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/56479cda8c95
TraceLogging: Make sure there is a payload when baking in an event, r=bbouvier

Comment 7

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/56479cda8c95