Closed
Bug 1334103
Opened 7 years ago
Closed 7 years ago
Assertion failure: enable == !traceLoggerScriptsEnabled_, at js/src/jit/BaselineJIT.cpp:1008 with evalInWorker and Debugger
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox54 | --- | affected |
People
(Reporter: decoder, Assigned: h4writer)
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore])
The following testcase crashes on mozilla-central revision fbdfcecf0c77 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2 --disable-oom-functions --disable-oom-functions --ion-offthread-compile=off --ion-eager):
evalInWorker(`
try { evaluate(\`
var du = new Debugger();
assertEq(du.setupTraceLogger({ Scripts: 8 }), true);
\`); } catch(exc) {}
`);
evalInWorker(`
try { evaluate(\`
var du = new Debugger();
assertEq(du.setupTraceLogger({ Scripts: false }), true);
\`); } catch(exc) {}
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff2bff700 (LWP 23246)]
0x0000000000ddb948 in js::jit::BaselineScript::toggleTraceLoggerScripts (this=0x7ffff33ef380, runtime=runtime@entry=0x7ffff69d2208, script=script@entry=0x7ffff2609120, enable=enable@entry=false) at js/src/jit/BaselineJIT.cpp:1008
#0 0x0000000000ddb948 in js::jit::BaselineScript::toggleTraceLoggerScripts (this=0x7ffff33ef380, runtime=runtime@entry=0x7ffff69d2208, script=script@entry=0x7ffff2609120, enable=enable@entry=false) at js/src/jit/BaselineJIT.cpp:1008
#1 0x0000000000de3a14 in js::jit::ToggleBaselineTraceLoggerScripts (runtime=0x7ffff69d2208, enable=enable@entry=false) at js/src/jit/BaselineJIT.cpp:1199
#2 0x0000000000542192 in js::TraceLoggerThreadState::disableTextId (textId=<optimized out>, cx=0x7ffff69d2000, this=<optimized out>) at js/src/vm/TraceLogging.cpp:903
#3 js::TraceLogDisableTextId (cx=cx@entry=0x7ffff2bfcc70, textId=<optimized out>) at js/src/vm/TraceLogging.cpp:1037
#4 0x00000000009ee9ab in js::Debugger::setupTraceLogger (cx=0x7ffff2bfcc70, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:4985
#5 0x000000000053522d in js::CallJSNative (cx=cx@entry=0x7ffff69d2000, native=0x9ee3c0 <js::Debugger::setupTraceLogger(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
#6 0x00000000005302e5 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff69d2000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:460
#7 0x00000000005306d6 in InternalCall (cx=cx@entry=0x7ffff69d2000, args=...) at js/src/vm/Interpreter.cpp:505
#8 0x00000000005307fa in js::CallFromStack (cx=cx@entry=0x7ffff69d2000, args=...) at js/src/vm/Interpreter.cpp:511
#9 0x0000000000dfc7aa in js::jit::DoCallFallback (cx=0x7ffff69d2000, frame=0x7ffff2bfd328, stub_=<optimized out>, argc=<optimized out>, vp=0x7ffff2bfd2c8, res=...) at js/src/jit/BaselineIC.cpp:3691
#10 0x00007ffff7e1295a in ?? ()
[...]
#34 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff33ef380 140737274377088
rcx 0x7ffff6c28a2d 140737333332525
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7ffff2bfcb20 140737266043680
rsp 0x7ffff2bfcaa0 140737266043552
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff2bff700 140737266054912
r10 0x58 88
r11 0x7ffff6b9f750 140737332770640
r12 0x1 1
r13 0x0 0
r14 0x7ffff2609120 140737259802912
r15 0x7ffff69d2208 140737330881032
rip 0xddb948 <js::jit::BaselineScript::toggleTraceLoggerScripts(JSRuntime*, JSScript*, bool)+712>
=> 0xddb948 <js::jit::BaselineScript::toggleTraceLoggerScripts(JSRuntime*, JSScript*, bool)+712>: movl $0x0,0x0
0xddb953 <js::jit::BaselineScript::toggleTraceLoggerScripts(JSRuntime*, JSScript*, bool)+723>: ud2
|
||
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•7 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/08cbfe9c9060 parent: 324261:629069be312e user: Nicolas B. Pierron date: Fri Nov 25 09:24:38 2016 +0000 summary: Bug 1314172 - Add an option to toggle backtracking on inlining failures. r=h4writer This iteration took 243.750 seconds to run.
|
|
||
Updated•7 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 2•7 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision a338e596b1d9).
|
Reporter | |
Comment 3•7 years ago
|
||
This issue seems to be intermittent, not sure if the bisect in comment 1 is correct.
Flags: needinfo?(nicolas.b.pierron)
|
||
Comment 4•7 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #3) > This issue seems to be intermittent, not sure if the bisect in comment 1 is > correct. Even if the bisect is correct, this would mean that the bug was present before the change which is disabled by this commit. I will forward this issue to Hannes as this is related to TraceLogger usage on the Debugger.
Flags: needinfo?(nicolas.b.pierron) → needinfo?(hv1989)
|
Assignee | |
Updated•7 years ago
|
Priority: -- → P1
|
||
Updated•7 years ago
|
Assignee: nobody → hv1989
|
||
Comment 5•7 years ago
|
||
Naveed would you like to close this one? (It can be reopened if it happens again)
Flags: needinfo?(nihsanullah)
|
||
Comment 6•7 years ago
|
||
I'm going to go ahead and close this; we can reopen another bug if the failure comes back in a reproducible way.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(nihsanullah)
Flags: needinfo?(hv1989)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•