Assertion failure: !empty(), at dist/include/mozilla/Vector.h:473 with Trace Logger

RESOLVED FIXED in Firefox 51

Status

()

--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: h4writer)

Tracking

(Blocks: 2 bugs, 4 keywords)

Trunk
mozilla51
x86_64
Linux
assertion, jsbugmon, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox48 unaffected, firefox49 unaffected, firefox50 unaffected, firefox51 fixed)

Details

(Whiteboard: [fuzzblocker] [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision 401ea746b1a9 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

evaluate(`
 var du = new Debugger();
 du.setupTraceLoggerScriptCalls();
 du.startTraceLogger();
`);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x000000000051b3d8 in mozilla::Vector<unsigned int, 1ul, js::SystemAllocPolicy>::back (this=0x7ffff69a0110) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/Vector.h:473
#0  0x000000000051b3d8 in mozilla::Vector<unsigned int, 1ul, js::SystemAllocPolicy>::back (this=0x7ffff69a0110) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/Vector.h:473
#1  mozilla::Vector<unsigned int, 1ul, js::SystemAllocPolicy>::popCopy (this=0x7ffff69a0110) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/Vector.h:1358
#2  js::TraceLoggerThread::stopEvent (id=23, this=0x7ffff69a0040) at js/src/vm/TraceLogging.cpp:537
#3  js::TraceLoggerThread::stopEvent (this=0x7ffff69a0040, event=...) at js/src/vm/TraceLogging.cpp:524
#4  0x0000000000ad9615 in js::TraceLogStopEvent (event=..., logger=<optimized out>) at js/src/vm/TraceLogging.h:444
[...]
#15 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7659


Happens quite frequently, marking fuzzblocker.

Updated

2 years ago
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]

Comment 1

2 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/9bf32cd7b3e5
user:        Hannes Verschore
date:        Fri Sep 02 18:19:27 2016 +0200
summary:     Bug 1298541: Tracelogger: Part 1: Add debugging to check start and stop correspond, r=bbouvier

This iteration took 247.493 seconds to run.
status-firefox48: --- → unaffected
status-firefox49: --- → unaffected
status-firefox50: --- → unaffected
Hannes, is bug 1298541 a likely regressor?
Blocks: 1298541
Flags: needinfo?(hv1989)
(Assignee)

Comment 3

2 years ago
Created attachment 8788770 [details] [diff] [review]
Patch

I made a small reasoning error. I assumed that I always fully constructed the active scripts on the stack when enabling tracelogger, but that is wrong. I only log the parent script. Which was a conscious decission, only I forgot this.

That means we should just ignore the debug tests after the debug stack is empty.
Assignee: nobody → hv1989
Flags: needinfo?(hv1989)
Attachment #8788770 - Flags: review?(bbouvier)
Comment on attachment 8788770 [details] [diff] [review]
Patch

Review of attachment 8788770 [details] [diff] [review]:
-----------------------------------------------------------------

Got it. Mind to add a test case, please?
Attachment #8788770 - Flags: review?(bbouvier) → review+

Comment 5

2 years ago
Pushed by hv1989@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8e68d6ac1801
TraceLogger - Ignore debug checks when stack is empty, r=bbouvier
(Assignee)

Updated

2 years ago
Blocks: 1298831

Comment 6

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/8e68d6ac1801
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox51: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.