Closed Bug 1530351 Opened 6 years ago Closed 6 years ago

Assertion failure: Mismatch between stored lastProfilingFrame and current stack pointer., at js/src/jit/MacroAssembler.cpp:2029

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
ARM64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- fixed
firefox68 --- fixed

People

(Reporter: decoder, Assigned: nbp)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:ignore])

Attachments

(1 file)

Bug 1530351 - GenerateProfilerExit frame use 64-bits math to remove the rectifier frame size.
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review

The following testcase crashes on mozilla-central revision 492e4409f468+ (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-jemalloc --enable-debug, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --ion-warmup-threshold=0):

function test(str) {
  for (let i = 0; i < 100; ++i)
    Reflect.apply(String.prototype.substring, str, [])
}
enableGeckoProfilingWithSlowAssertions();
test("");

Backtrace:

received signal SIGTRAP, Trace/breakpoint trap.
0x000015a0e0619640 in ?? ()
#0  0x000015a0e0619640 in ?? ()
#1  0x0000000400000000 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
x0	0xcf525680	63109432759936
x1	0x0	0
x2	0xcf525680	-1344265450793344
x3	0x0	0
x4	0x2044	8260
x5	0x0	0
x6	0x0	0
x7	0xcf525680	63109432759936
x8	0xcc0dd7e0	3423459296
x9	0xcc0dd790	281474105202576
x10	0xcc0dd7e0	3423459296
x11	0xcc0dd950	281474105203024
x12	0xcf5afba0	63109433326496
x13	0xcf525680	-1344265450793344
x14	0x67777ab0	187657446980272
x15	0x0	0
x16	0x6e113a60	281463938431584
x17	0x36760418	187656624800792
x18	0x2f	47
x19	0x0	0
x20	0x67777a90	187657446980240
x21	0xe0642660	23780703610464
x22	0x67791ca0	187657447087264
x23	0xcc0dd850	281474105202768
x24	0x9ba00a28	-523854550136280
x25	0xcc0dd948	281474105203016
x26	0x0	0
x27	0xe0600920	23780703340832
x28	0xcc0dd7e0	281474105202656
x29	0xcc0dd900	281474105202944
x30	0xe06448b4	23780703619252
sp	0xcc0dd720	281474105202464
pc	0xe0619640	23780703442496
cpsr	[ EL=0 C Z ]
fpcsr	void
fpcr	0x0	0
=> 0x15a0e0619640:	brk	#0x0
   0x15a0e0619644:	ldr	x8, [x28, #8]

Requires the patch from bug 1528869 to enable Ion on ARM64.

This is probably blocking some Gecko work as well, we should prioritize this bug as soon as all fuzzblocker bugs are addressed.

Assignee: nobody → nicolas.b.pierron
Assignee: nicolas.b.pierron → nobody
Blocks: 1528869

Sean, could you please look into this regression for 67 which will show up once bug 1528869 lands?

Flags: needinfo?(sstangl)
Blocks: 1526993
Flags: needinfo?(sstangl)
Priority: -- → P2
Whiteboard: [jsbugmon:ignore] → JS fuzzing bug [jsbugmon:ignore]

This is a JS fuzzing bug and sdetar said the team will fix as many as they can in 67 but will not be able to get to all. Marking them fix-optional.

status-firefox67: affectedfix-optional
Whiteboard: JS fuzzing bug [jsbugmon:ignore] → [jsbugmon:ignore]

Nicolas, this also does not reproduce for me. Could you please confirm that it doesn't reproduce for you either? If it doesn't, we can toss it in the hopes that it got fixed as part of our changes since the previous month.

Flags: needinfo?(nicolas.b.pierron)

(In reply to Sean Stangl [:sstangl] from comment #4)

Nicolas, this also does not reproduce for me. Could you please confirm that it doesn't reproduce for you either? If it doesn't, we can toss it in the hopes that it got fixed as part of our changes since the previous month.

I can reproduce this issue.
I will investigate after finishing with Bug 1497045.

Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
Flags: needinfo?(nicolas.b.pierron)
Pushed by npierron@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/16044e8bda4b GenerateProfilerExit frame use 64-bits math to remove the rectifier frame size. r=sstangl

https://hg.mozilla.org/mozilla-central/rev/16044e8bda4b

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

Comment on attachment 9055100 [details]
Bug 1530351 - GenerateProfilerExit frame use 64-bits math to remove the rectifier frame size.

Beta/Release Uplift Approval Request

  • Feature/Bug causing the regression: Bug 1528869
  • User impact if declined: Crash when profiling Firefox.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is not risky as this is a 1 line change which prevent a truncation from happening.
  • String changes made/needed: N/A
Attachment #9055100 - Flags: approval-mozilla-beta?

Comment on attachment 9055100 [details]
Bug 1530351 - GenerateProfilerExit frame use 64-bits math to remove the rectifier frame size.

Crash when profiling on Firefox, safe patch, uplift accepted for 67 beta 10, thanks.

Attachment #9055100 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
No longer blocks: 1528869
status-firefox66: --- → unaffected
status-firefox-esr60: --- → unaffected
Flags: in-testsuite+
Regressed by: 1528869
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: