Assertion failure: sJitCodeRegionStart && sJitCodeRegionStart == aStart && sJitCodeRegionSize == aSize, at mozglue/misc/StackWalk.cpp:157
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox-esr115 | --- | fixed |
| firefox115 | --- | wontfix |
| firefox116 | --- | wontfix |
| firefox117 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression)
Attachments
(1 file, 1 obsolete file)
|
48 bytes,
text/x-phabricator-request
|
ryanvm
:
approval-mozilla-esr115+
|
Details | Review |
Download a "Windows 2012 AArch64 debug" js shell from treeherder via the "B" link, download the target.jsshell.zip file (I tested a couple of revs before m-c rev 68fc9ccb5d1021ae9291069aada9262ed4975872), then extract and run ./js -e "quit()" ; on an aarch64 Win machine - you'll see this:
Assertion failure: sJitCodeRegionStart && sJitCodeRegionStart == aStart && sJitCodeRegionSize == aSize, at /builds/worker/checkouts/gecko/mozglue/misc/StackWalk.cpp:157
#01: UnregisterJitCodeRegion[C:\Users\gary_\Downloads\target.jsshell\mozglue.dll +0x7f550]
#02: ???[C:\Users\gary_\Downloads\target.jsshell\js.exe +0xeebfac]
#03: ???[C:\Users\gary_\Downloads\target.jsshell\js.exe +0x28a48c]
#04: ???[C:\Users\gary_\Downloads\target.jsshell\js.exe +0xd1fc]
#05: ???[C:\Users\gary_\Downloads\target.jsshell\js.exe +0x162211c]
#06: ???[C:\Users\gary_\Downloads\target.jsshell\js.exe +0x16221c0]
#07: BaseThreadInitThunk[C:\Windows\System32\KERNEL32.DLL +0x123f0]
#08: RtlUserThreadStart[C:\Windows\SYSTEM32\ntdll.dll +0x72eac]
The opt shell crashes on shutdown as well. Jan, who is the best person to look at this? This makes other forms of testing virtually impossible.
|
Assignee | |
Comment 1•2 years ago
|
||
Hey Gary, thanks for reporting this.
Do you happen to know if this is a relatively recent regression? Or did you just start testing those builds?
|
|
Assignee | |
Comment 2•2 years ago
|
||
I suspect the assertion fails because aSize is off by a page size.
In ReserveProcessExecutableMemory, we add the size of a page to bytes. If we don't have an exception handler installed and are on ARM64, we then pass that modified size to RegisterJitCodeRegion.
In DeallocateProcessExecutableMemory, we call UnregisterJitCodeRegion with bytes (this is MaxCodeBytesPerProcess passed by the caller).
|
|
Assignee | |
Comment 3•2 years ago
|
||
|
|
Assignee | |
Comment 4•2 years ago
|
||
Can you see if the attached patch helps? I haven't tested it yet though.
|
|
Assignee | |
Comment 5•2 years ago
|
||
I also started some Windows ARM64 try builds in case downloading one of those is easier: https://treeherder.mozilla.org/jobs?repo=try&group_state=expanded&revision=96c5841d3700652e8cf2ed3e823a7e6e8907c595
|
Reporter | |
Comment 6•2 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #5)
I also started some Windows ARM64 try builds in case downloading one of those is easier: https://treeherder.mozilla.org/jobs?repo=try&group_state=expanded&revision=96c5841d3700652e8cf2ed3e823a7e6e8907c595
This patch works great!
|
|
Reporter | |
Comment 7•2 years ago
|
||
I'm going to guess this is related to bug 1530552 as a possible regressor, looking at the lines the patch changed. Jan, would you agree?
|
|
Assignee | |
Comment 8•2 years ago
|
||
Yes that makes sense.
|
|
Assignee | |
Comment 9•2 years ago
|
||
On Win64 platforms (NEED_JIT_UNWIND_HANDLING), we reserve an extra page in
ReserveProcessExecutableMemory for the generated exception handler.
Before this patch we'd skip the first page if we generated an exception handler there.
If we didn't generate an exception handler (for example JS shell builds on ARM64)
we'd not skip the first page and instead have an unused page at the end of the JIT
code region.
With this patch we always skip the first page if we reserved one. This fixes an
assertion failure in UnregisterExecutableMemory for Windows ARM64 JS shell builds.
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Comment 10•2 years ago
|
||
|
||
Comment 11•2 years ago
|
||
Set release status flags based on info from the regressing bug 1530552
|
||
Comment 12•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 13•2 years ago
|
||
The patch landed in nightly and beta is affected.
:jandem, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox116towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 14•2 years ago
|
||
Probably makes sense to fix this on ESR115 because that will be supported for a while still, but for beta it can just ride the trains.
|
|
Assignee | |
Comment 15•2 years ago
|
||
Comment on attachment 9342227 [details]
Bug 1841250 - Always skip first code page on Windows 64-bit platforms. r?iain!
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: This fixes a shutdown crash with SpiderMonkey builds for Windows ARM64.
ESR115 will be supported for quite a while still so it probably makes sense to fix it there too.
- User impact if declined:
- Fix Landed on Version: 117
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Pretty local change and this has been tested in Nightly.
|
||
Comment 16•2 years ago
|
||
Comment on attachment 9342227 [details]
Bug 1841250 - Always skip first code page on Windows 64-bit platforms. r?iain!
Approved for 115.1esr.
|
|
||
Comment 17•2 years ago
|
||
| uplift | ||
|
|
||
Comment 18•2 years ago
|
||
| bugherder uplift | ||
|
|
Reporter | |
Updated•1 year ago
|
Description
•