Closed Bug 947070 Opened 11 years ago Closed 10 years ago

Assertion failure: containsPC(pc), at jsscript.h

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla29
Tracking Flags:
Tracking Status
firefox28 --- fixed
firefox29 --- fixed
firefox-esr24 --- unaffected
b2g-v1.3 --- fixed
b2g-v1.3T --- fixed
b2g-v1.4 --- fixed

People

(Reporter: gkw, Assigned: djvj)

References

Details

(4 keywords)

Attachments

(2 files, 1 obsolete file)

stack
5.07 KB, text/plain
Details
[crash-signature] Machine-readable crash signature
471 bytes, text/plain
Details
Attached file stack 
enableSPSProfilingAssertions(true);
function f() {
    (function() {
        for (var i = 0; i < 9; i++) {}
    })();
    f();
    for (var i = 0; i < 9; i++) {}
}
f()

asserts js debug shell on m-c changeset 526e12792fc8 without any CLI arguments at Assertion failure: containsPC(pc), at jsscript.h

My configure flags are:

CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --with-ccache --disable-threadsafe

s-s because Kannan mentioned before that SPS bugs can be bad. Setting needinfo as well.
Flags: needinfo?(kvijayan)
(note to self: For now, stick a "Random.init()" line before all the FRC lines, the next time we have to use output from setting dumpEachSeed to true.)
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/9c90bda44992
user:        Brian Hackett
date:        Thu Aug 15 07:33:30 2013 -0700
summary:     Bug 864220 - Use mprotect to trigger interrupts in Ion compiled code, r=luke,jandem.

Is bug 864220 a likely regressor?
Setting as moderate because it looks related to the profiler.
Keywords: sec-moderate
Assignee: general → nobody
QA Contact: general
Group: javascript-core-security
Attachment #8344597 - Attachment is obsolete: true
It looks like this may have been fixed.
Flags: needinfo?(gary)
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/39219e33ec40
user:        Kannan Vijayan
date:        Mon Dec 09 10:28:58 2013 -0500
summary:     Bug 834678 - Ensure correct update of lastPC_ for MInstructions which add OOL code. r=jandem

This issue seems to be gone. Kannan, is bug 834678 a likely fix?
Flags: needinfo?(gary)
Kannan mentions in-person here at the JS work week that this is a likely fix.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(kvijayan)
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Assignee: nobody → kvijayan
status-b2g-v1.3: --- → fixed
status-b2g-v1.3T: --- → fixed
status-b2g-v1.4: --- → fixed
status-firefox28: --- → fixed
status-firefox29: --- → fixed
Depends on: 834678
Target Milestone: --- → mozilla29
Group: javascript-core-security
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: