Closed Bug 1603920 Opened 5 years ago Closed 5 years ago

Assertion failure: Mismatch between stored lastProfilingFrame and current stack pointer., at js/src/jit/MacroAssembler.cpp:1828 with Debugger

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla73
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox71 --- wontfix
firefox72 --- wontfix
firefox73 --- fixed

People

(Reporter: gkw, Assigned: loganfsmyth)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Detailed Crash Information
2.92 KB, text/plain
Details

The following testcase crashes on mozilla-central revision a6b449010a04 (build with --enable-debug --disable-optimize, run with --fuzzing-safe --no-threads --baseline-eager --no-ion):

// jsfunfuzz-generated
enableGeckoProfiling();
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/onEnterFrame-generator-08.js
let g = newGlobal({
    newCompartment: true
});
g.eval("function* f() {}");
let dbg = new Debugger(g);
let it = g.f();
dbg.onEnterFrame = () => ({
    return: "exit"
});
it.throw();

Backtrace:

#0  0x000017c75d236d39 in ?? ()
#1  0x000017c75d21a785 in ?? ()
#2  0x0000000000001044 in ?? ()
#3  0x0000216f622ac830 in ?? ()
/snip

For detailed crash information, see attachment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/467644cd89e8
user: Jan de Mooij
date: Sat Jul 13 11:21:12 2019 +0000
summary: Bug 1564017 part 7 - Enable the Baseline Interpreter in the browser. r=tcampbell

Jan, is baseline interpreter a likely regressor?

Flags: needinfo?(jdemooij)
Regressed by: 1564017

Bug 1602699 is refactoring some of this code, I'll wait for that to land and investigate (if it's still an issue then).

Depends on: 1602699

Gary, does this still repro for you? The test seems to pass for me now but I didn't do a lot of testing.

Flags: needinfo?(jdemooij) → needinfo?(nth10sd)

autobisectjs shows this is probably related to the following changeset:

The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/b2ad424d4882
user: Logan Smyth
date: Thu Dec 19 00:57:00 2019 +0000
summary: Bug 1602699 - Part 5: Change DebugAPI::onEnter/ResumeFrame to work via an error. r=jimb,jandem

Logan, is bug 1602699 a likely fix?

Flags: needinfo?(nth10sd) → needinfo?(loganfsmyth)

Yep, https://bugzilla.mozilla.org/show_bug.cgi?id=1602699 almost certainly fixed this.

Flags: needinfo?(loganfsmyth) → needinfo?(nth10sd)

Resolving fixed by bug 1602699 as per comment 6 and comment 7.

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(nth10sd)
Resolution: --- → FIXED

Should we land this testcase still? I don't see any new tests added by bug 1602699.

Assignee: nobody → loganfsmyth
status-firefox73: affectedfixed
Flags: needinfo?(loganfsmyth)
Flags: in-testsuite?
Target Milestone: --- → mozilla73

I'm not sure it's necessary. The code path that was triggering this case was, I think, missing a piece of code for gecko profiler cleanup of the function call, causing some kind of failure here. https://bugzilla.mozilla.org/show_bug.cgi?id=1602699 removed that codepath entirely in favor of the path already used everywhere in the system, so existing tests for the profile should already cover the code now being used.

Assignee: loganfsmyth → ryanvm
Flags: needinfo?(loganfsmyth)
Assignee: ryanvm → loganfsmyth
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: