Closed Bug 1502744 Opened 6 years ago Closed 5 years ago

Assertion failure: slotInfo.isStackSynced(), at js/src/jit/JSJitFrameIter.cpp:673

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla66
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- unaffected
firefox64 --- unaffected
firefox65 --- wontfix
firefox66 --- fixed

People

(Reporter: decoder, Assigned: tcampbell)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Bug 1502744 - Profiler should allow unsynced baseline addresses. r?jandem
47 bytes, text/x-phabricator-request
Details | Review 
The following testcase crashes on mozilla-central revision 7007206a3cd4 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

(function(global) {
    global.makeIterator = function makeIterator(overrides) {
        var iterator = {
            return: function(x) {
                return overrides.ret(x);
            }
        };
        return function() {
            return iterator;
        };
    }
})(this);
var iterable = {};
iterable[Symbol.iterator] = makeIterator({
    ret: (function() {
        enableGeckoProfilingWithSlowAssertions();
    })
});
0, [...{} [throwlhs()]] = iterable;


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x000055555628dbac in js::jit::JSJitProfilingFrameIterator::fixBaselineReturnAddress (this=0x7fffffffa1a0) at js/src/jit/JSJitFrameIter.cpp:673
#0  0x000055555628dbac in js::jit::JSJitProfilingFrameIterator::fixBaselineReturnAddress (this=0x7fffffffa1a0) at js/src/jit/JSJitFrameIter.cpp:673
#1  0x0000555555c0a996 in GetTopProfilingJitFrame (act=act@entry=0x7fffffffcce0) at js/src/vm/GeckoProfiler.cpp:79
#2  0x0000555555c16f6c in js::GeckoProfilerRuntime::enable (this=0x7ffff5f1c2f0, enabled=true) at js/src/vm/GeckoProfiler.cpp:141
#3  0x00005555557fc2df in EnableGeckoProfilingWithSlowAssertions (cx=0x7ffff5f18000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:6508
#4  0x000055555596d0e5 in CallJSNative (cx=0x7ffff5f18000, native=0x5555557fc1e0 <EnableGeckoProfilingWithSlowAssertions(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:468
[...]
#12 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffa1a0	140737488331168
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffa190	140737488331152
rsp	0x7fffffffa160	140737488331104
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7ffff4d91940	140737301256512
r13	0x7ffff49e6d9d	140737297411485
r14	0x1	1
r15	0x7ffff5f7c000	140737320042496
rip	0x55555628dbac <js::jit::JSJitProfilingFrameIterator::fixBaselineReturnAddress()+284>
=> 0x55555628dbac <js::jit::JSJitProfilingFrameIterator::fixBaselineReturnAddress()+284>:	movl   $0x0,0x0
   0x55555628dbb7 <js::jit::JSJitProfilingFrameIterator::fixBaselineReturnAddress()+295>:	ud2
See Also: → 1503640
Assignee: nobody → tcampbell
Priority: -- → P1
Blocks: 1502051
autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/5c6343e86e05
user:        Ted Campbell
date:        Fri Oct 26 16:01:41 2018 +0000
summary:     Bug 1502051 - Always check slotInfo for BaselineScript::nativeCodeForPc. r=djvj

Confirming that bug 1502051 is a likely regressor.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
https://searchfox.org/mozilla-central/rev/6e0e603f4852b8e571e5b8ae133e772b18b6016e/js/src/jit/BaselineCompiler.cpp#1182-1195

This should probably call syncStack for JSOP_RESUME. The assertion tripped is a bit overzelous, but I think it is preferable to ensure ops that use override PCs are synced anyways since they generally involve non-local control-flow to begin with.
The patch in bug 1511370 hits this on tons of jit-tests if you apply the patch, enable the sampler in jit-test's prologue.js and run jit-tests on Linux or Mac.
Blocks: 1511370
The assert was overzealous and should just be removed. Other return
addresses reported by iterator are just sampled by stack and don't
indicate if stack is synced or not.

Also, fix up an out-of-date comment here.
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0e657bec5731
Profiler should allow unsynced baseline addresses. r=jandem
https://hg.mozilla.org/mozilla-central/rev/0e657bec5731
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox66: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
status-firefox65: affectedwontfix
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: