Closed
Bug 994406
Opened 7 years ago
Closed 7 years ago
Crash [@ js::ProfileEntry::setPC] or Assertion failure: size_before == *profiler->size_, at vm/SPSProfiler.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 970252
Tracking | Status | |
---|---|---|
firefox31 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(5 keywords, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
4.91 KB,
text/plain
|
Details |
enableSPSProfilingAssertions(false) function m() { try { (function g() { for (v of []) {} return g() })() } catch (e) {} (function() {})() } m() asserts js debug shell on m-c changeset 690c810c8e3e with --ion-parallel-compile=off --ion-eager at Assertion failure: size_before == *profiler->size_, at vm/SPSProfiler.cpp and crashes js opt shell at js::ProfileEntry::setPC My configure (opt) flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options> My configure (debug) flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options> Filing this separately from bug 970252 because this testcase crashes opt but that one doesn't. Locking s-s pending analysis by a dev. Setting needinfo? from jandem because he was working on bug 970252. Feel free to dupe if this is indeed a dupe - but please add the testcase.
Flags: needinfo?(jdemooij)
![]() |
Reporter | |
Comment 1•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/7349a4fc4d58 user: Terrence Cole date: Thu Oct 17 18:07:39 2013 -0700 summary: Bug 928140 - Add postbarrier when inlining UnsafeSetReservedSlot; r=shu Bug 928140 caused this opt crash to show up. Terrence, is it likely related?
Blocks: 928140
Flags: needinfo?(terrence)
![]() |
Reporter | |
Comment 2•7 years ago
|
||
(lldb) dis -p js-opt-64-dm-ts-darwin-690c810c8e3e`js::ProfileEntry::setPC(unsigned char*) volatile + 18 [inlined] js::ProfileEntry::script() const volatile + 4 at SPSProfiler.cpp:336 js-opt-64-dm-ts-darwin-690c810c8e3e`js::ProfileEntry::setPC(unsigned char*) volatile + 14 at SPSProfiler.cpp:336: -> 0x1003d4e92: subl 0x18(%rax), %esi 0x1003d4e95: movl %esi, %eax 0x1003d4e97: movl %eax, 0x18(%rdi) 0x1003d4e9a: popq %rbp (lldb) register read $rax rax = 0x0000000000000000 (lldb) register read $esi esi = 0x0161b942 (lldb) Looks like a null-deref at first glance, setting sec-high pending further analysis.
Group: core-security
Keywords: sec-high
![]() |
Reporter | |
Updated•7 years ago
|
status-firefox31:
--- → affected
Comment 3•7 years ago
|
||
It seems that inserting a few more instructions somewhere throws off one of SPS's internal counters, maybe? My patch certainly couldn't have caused this directly, so I'd guess that there is a broken assumption in SPS somewhere. I know absolutely nothing about SPS, so I'm certainly not the right person to investigate this.
Flags: needinfo?(terrence)
Comment 6•7 years ago
|
||
Eh bug 970252. Let's fix that one first and see if it fixes this bug too.
Updated•7 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Comment 7•7 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Comment 8•7 years ago
|
||
Just confirmed as dup.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(kvijayan)
Resolution: --- → DUPLICATE
Duplicate of bug: 970252
Updated•5 years ago
|
Group: core-security → core-security-release
Updated•4 years ago
|
Group: javascript-core-security, core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•