1888744 - Assertion failure: !jitIter.done(), at vm/GeckoProfiler.cpp:62

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[lukas.bernhard]

Steps to reproduce:

On git commit 28cc363411d2029aed04c969c8f98785cae110db the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js

x = [0,0,0,0,0,0,0,0];
function f1() {
    return enableGeckoProfiling();
}
x.sort(f1);

#0  GetTopProfilingJitFrame (act=0x7fffffffc9d0) at js/src/vm/GeckoProfiler.cpp:62
#1  js::GeckoProfilerRuntime::enable (this=0x7ffff602f378, enabled=true) at js/src/vm/GeckoProfiler.cpp:111
#2  0x000055555718e2fb in EnableGeckoProfiling (cx=cx@entry=0x7ffff6039100, argc=<optimized out>, vp=<optimized out>)
    at js/src/shell/js.cpp:7366
#3  0x00005555572693b7 in CallJSNative (cx=cx@entry=0x7ffff6039100, 
    native=native@entry=0x55555718e240 <EnableGeckoProfiling(JSContext*, unsigned int, JS::Value*)>,
    reason=reason@entry=js::CallReason::Call, args=...) at js/src/vm/Interpreter.cpp:479
#4  0x00005555572685d2 in js::InternalCallOrConstruct (cx=0x7ffff6039100, args=..., construct=construct@entry=js::NO_CONSTRUCT,
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:573
#5  0x000055555726a326 in InternalCall (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, args=..., reason=1505770368)
    at js/src/vm/Interpreter.cpp:640
#6  0x000055555727e5b1 in js::CallFromStack (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, args=..., reason=<optimized out>)
    at js/src/vm/Interpreter.cpp:645
#7  js::Interpret (cx=0x7ffff6039100, state=...) at js/src/vm/Interpreter.cpp:3060
#8  0x0000555557267b27 in MaybeEnterInterpreterTrampoline (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6039100, state=...)
    at js/src/vm/Interpreter.cpp:393
#9  0x000055555726781a in js::RunScript (cx=cx@entry=0x7ffff6039100, state=...) at js/src/vm/Interpreter.cpp:451
#10 0x00005555572684ff in js::InternalCallOrConstruct (cx=0x7ffff6039100, args=..., construct=construct@entry=js::NO_CONSTRUCT,
    reason=<optimized out>) at js/src/vm/Interpreter.cpp:605
#11 0x000055555726a326 in InternalCall (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6039100, args=..., reason=1505770368,
    reason@entry=js::CallReason::Call) at js/src/vm/Interpreter.cpp:640
#12 0x000055555726a50e in js::Call (cx=cx@entry=0x7ffff6039100, fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=...,
    reason=reason@entry=js::CallReason::Call) at js/src/vm/Interpreter.cpp:672
#13 0x0000555558225118 in js::jit::InvokeFunction (cx=cx@entry=0x7ffff6039100, obj=obj@entry=..., constructing=<optimized out>,
    ignoresReturnValue=false, argc=argc@entry=2, argv=argv@entry=0x7fffffffc830, rval=...)
    at js/src/jit/VMFunctions.cpp:545
#14 0x0000555558225c99 in js::jit::InvokeFromInterpreterStub (cx=0x7ffff6039100, frame=<optimized out>)
    at js/src/jit/VMFunctions.cpp:569
#15 0x000037f7787c1f20 in ?? ()
#16 0x00007fffffffc900 in ?? ()

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Regression range seems to be: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7f2993771f48536c575137e4b51984ab6d3de136&tochange=9c458764557de25f93134811a808f6c5b68b5683

Jan, is bug 1884360 a likely regressor?

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1884360

Comment 3

[Jan de Mooij [:jandem]]

Attachment: Bug 1888744 - Fix profiler code to handle activations with only trampoline native frames better. r?iain!

Comment 5

[Pulsebot]

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5869a1ed97bd
Fix profiler code to handle activations with only trampoline native frames better. r=iain

Comment 6

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/5869a1ed97bd