Closed
Bug 854157
Opened 11 years ago
Closed 11 years ago
Assertion failure: regs->fp() == regs_->fp()->prev(), at vm/Stack.cpp or Assertion failure: !inline_, at vm/Stack.cpp with gcPreserveCode
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox20 | --- | unaffected |
| firefox21 | --- | affected |
| firefox22 | --- | affected |
| firefox23 | --- | verified |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:][adv-main23+])
Attachments
(2 files)
The attached testcase asserts js debug shell on m-c changeset bcf09432affd with --no-ion and -a at Assertion failure: regs->fp() == regs_->fp()->prev(), at vm/Stack.cpp (This was a very tough testcase to reduce) autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 120310:d7dd65663469 user: Brian Hackett date: Tue Jan 29 16:20:03 2013 -0700 summary: Bug 833898 - Allow converting mixed arrays of ints and doubles to uniform doubles, r=jandem.
|
Reporter | |
Comment 1•11 years ago
|
||
This testcase involves gcPreserveCode, which the testcases in the other bugs (bug 851247 and bug 852202) don't have. autoBisect also points to a different changeset. Brian, is bug 833898 a possible cause?
Flags: needinfo?(bhackett1024)
Summary: Assertion failure: regs->fp() == regs_->fp()->prev(), at vm/Stack.cpp → Assertion failure: regs->fp() == regs_->fp()->prev(), at vm/Stack.cpp with gcPreserveCode
|
|
Reporter | |
Comment 2•11 years ago
|
||
|
|
Reporter | |
Comment 3•11 years ago
|
||
During the course of reduction, the assertion located here: http://hg.mozilla.org/mozilla-central/annotate/ec68e56cafa3/js/src/vm/Stack.cpp#l1263 was also hit: Assertion failure: !inline_, at vm/Stack.cpp
Summary: Assertion failure: regs->fp() == regs_->fp()->prev(), at vm/Stack.cpp with gcPreserveCode → Assertion failure: regs->fp() == regs_->fp()->prev(), at vm/Stack.cpp or Assertion failure: !inline_, at vm/Stack.cpp with gcPreserveCode
|
|
Reporter | |
Comment 4•11 years ago
|
||
jandem mentioned over IRC that this might be memory corruption or something, so locking s-s just to be safe. I'll try to reproduce this again.
Group: core-security
|
|
Reporter | |
Comment 5•11 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4) > jandem mentioned over IRC that this might be memory corruption or something, > so locking s-s just to be safe. I'll try to reproduce this again. I can definitely still reproduce this on m-c tip c9bf19d37fe0: $ ./js-dbg-64-dm-ts-darwin-c9bf19d37fe0 --no-ion -a ~/Downloads/854157.js fuzzSeed: 115076139 Assertion failure: regs->fp() == regs_->fp()->prev(), Tested on 64-bit debug threadsafe deterministic build on Mac.
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
|
|
||
Comment 6•11 years ago
|
||
JSBugMon: Cannot process bug: Unknown exception (check manually)
|
||
Updated•11 years ago
|
Assignee: general → bhackett1024
status-b2g18:
--- → unaffected
status-firefox20:
--- → unaffected
status-firefox21:
--- → affected
status-firefox22:
--- → affected
status-firefox23:
--- → affected
status-firefox-esr17:
--- → unaffected
|
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:update]
|
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 7•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f20b0ce9e528).
|
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
|
|
Reporter | |
Comment 8•11 years ago
|
||
I suspect the landing of BaselineCompiler might have caused this bug to go away.
|
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
|
|
||
Comment 9•11 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 127440:492e87516012 parent: 127437:d4656be59219 parent: 126103:5b7ed1616c62 user: Jan de Mooij date: Mon Mar 25 10:27:13 2013 +0100 summary: Merge from mozilla-inbound. This iteration took 170.595 seconds to run. Oops! We didn't test rev d4656be59219, a parent of the blamed revision! Let's do that now. We did not test rev d4656be59219 because it is not a descendant of either bcf09432affd or 445d8eecdd80. Rev d4656be59219: Updating... Compiling... Testing... [Uninteresting] It didn't crash. (6.352 seconds) good (not interesting) Bisect lied to us! Parent rev d4656be59219 was also good! Oops! We didn't test rev 5b7ed1616c62, a parent of the blamed revision! Let's do that now. Rev 5b7ed1616c62: Updating... Compiling... Testing... Exit status: CRASHED signal 11 (SIGSEGV) (15.878 seconds) bad (interesting) As expected, the parent's label is the opposite of the blamed rev's label. Perhaps we should expand the search to include the common ancestor of the blamed changeset's parents. The common ancestor of d4656be59219 and 5b7ed1616c62 is 0e9badd3cf39. Rev 0e9badd3cf39: Updating... Compiling... Testing... Exit status: CRASHED signal 11 (SIGSEGV) (16.439 seconds) bad (interesting) The following line is still under testing: Try setting -s to 0e9badd3cf39, and -e to 445d8eecdd80, and re-run autoBisect.
|
|
Reporter | |
Comment 10•11 years ago
|
||
Assuming fixed by BaselineCompiler.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → FIXED
|
|
Reporter | |
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 11•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Comment 12•11 years ago
|
||
Marking status-firefox23:verified as per comment 11
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:][adv-main23+]
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•