Assertion failure: Mismatch between stored lastProfilingFrame and current stack pointer., at jit/VMFunctions.cpp:2726
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox-esr102 | --- | unaffected |
| firefox101 | --- | unaffected |
| firefox102 | --- | unaffected |
| firefox103 | --- | verified |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20220613-3c71dd51a31a (debug build, run with --fuzzing-safe --no-threads --ion-warmup-threshold=0 --fast-warmup):
enableGeckoProfilingWithSlowAssertions();
function* f71() {
try {
yield;
} finally {
for (let b18 = undefined; b18 < 10; b18++) {}
}
}
for (var i62 = 0; i62 < 10; ++i62) {
let c73 = f71();
c73.next();
c73.return();
}
Backtrace:
received signal SIGTRAP, Trace/breakpoint trap.
0x000018eae3ac2ba9 in ?? ()
#0 0x000018eae3ac2ba9 in ?? ()
[...]
#4 0x0000000000000000 in ?? ()
rax 0x7fffffffaea0 140737488334496
rbx 0xfff9000000000001 -1970324836974591
rcx 0xfffe0ebd53f00b48 -546743633573048
rdx 0x7fffffffaf78 140737488334712
rsi 0x0 0
rdi 0x7ffff6018000 140737320681472
rbp 0x7fffffffaea0 140737488334496
rsp 0x7fffffffae40 140737488334400
r8 0x0 0
r9 0x43c38cbc323a 74507158827578
r10 0x7ffff60cb080 140737321414784
r11 0x0 0
r12 0x8 8
r13 0x7ffff6027190 140737320743312
r14 0x0 0
r15 0x7ffff6027198 140737320743320
rip 0x18eae3ac2ba9 27397121125289
=> 0x18eae3ac2ba9: mov %rsp,%rbx
0x18eae3ac2bac: mov %rbp,%rsi
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
||
Comment 3•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220614034707-e08de019b69b.
The bug appears to have been introduced in the following build range:
Start: 18e3543d1c316bf5c77a138c8654edfae7dd43ea (20220611095155)
End: 0caaf8ce42dbe6723c64270dd0d5364fca731979 (20220611081516)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=18e3543d1c316bf5c77a138c8654edfae7dd43ea&tochange=0caaf8ce42dbe6723c64270dd0d5364fca731979
|
Assignee | |
Comment 4•2 years ago
|
||
In GetLastProfilingFrame, we should be returning rfe->stackPointer instead of rfe->framePointer because the latter now points to the caller frame. The patches in bug 1774166 change this code and will fix this bug. Leaving this open and keeping the NI to land the test case later.
|
|
Assignee | |
Comment 5•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 6•2 years ago
|
||
:jandem, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5093bcd97c9c Add test fixed by bug 1774166. r=iain
|
||
Comment 9•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 10•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220615154659-5093bcd97c9c.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Updated•2 years ago
|
Description
•