994406 - Crash [@ js::ProfileEntry::setPC] or Assertion failure: size_before == *profiler->size_, at vm/SPSProfiler.cpp

Status: RESOLVED DUPLICATE of bug 970252

(Core :: JavaScript Engine: JIT, defect, critical)

Description

[Gary Kwong [:gkw] [:nth10sd]]

Attachment: debug and opt stacks

enableSPSProfilingAssertions(false)
function m() {
    try {
        (function g() {
            for (v of []) {}
            return g()
        })()
    } catch (e) {}
    (function() {})()
}
m()

asserts js debug shell on m-c changeset 690c810c8e3e with --ion-parallel-compile=off --ion-eager at Assertion failure: size_before == *profiler->size_, at vm/SPSProfiler.cpp and crashes js opt shell at js::ProfileEntry::setPC

My configure (opt) flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>

My configure (debug) flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>

Filing this separately from bug 970252 because this testcase crashes opt but that one doesn't. Locking s-s pending analysis by a dev.

Setting needinfo? from jandem because he was working on bug 970252. Feel free to dupe if this is indeed a dupe - but please add the testcase.

Comment 1

[Gary Kwong [:gkw] [:nth10sd]]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/7349a4fc4d58
user:        Terrence Cole
date:        Thu Oct 17 18:07:39 2013 -0700
summary:     Bug 928140 - Add postbarrier when inlining UnsafeSetReservedSlot; r=shu

Bug 928140 caused this opt crash to show up. Terrence, is it likely related?

Comment 2

[Gary Kwong [:gkw] [:nth10sd]]

(lldb) dis -p
js-opt-64-dm-ts-darwin-690c810c8e3e`js::ProfileEntry::setPC(unsigned char*) volatile + 18 [inlined] js::ProfileEntry::script() const volatile + 4 at SPSProfiler.cpp:336
js-opt-64-dm-ts-darwin-690c810c8e3e`js::ProfileEntry::setPC(unsigned char*) volatile + 14 at SPSProfiler.cpp:336:
-> 0x1003d4e92:  subl   0x18(%rax), %esi
   0x1003d4e95:  movl   %esi, %eax
   0x1003d4e97:  movl   %eax, 0x18(%rdi)
   0x1003d4e9a:  popq   %rbp
(lldb) register read $rax
     rax = 0x0000000000000000
(lldb) register read $esi
     esi = 0x0161b942
(lldb)

Looks like a null-deref at first glance, setting sec-high pending further analysis.

Comment 3

[Terrence Cole [:terrence]]

It seems that inserting a few more instructions somewhere throws off one of SPS's internal counters, maybe? My patch certainly couldn't have caused this directly, so I'd guess that there is a broken assumption in SPS somewhere. I know absolutely nothing about SPS, so I'm certainly not the right person to investigate this.

Comment 4

[Gary Kwong [:gkw] [:nth10sd]]

Perhaps :djvj might know?

Comment 5

[Jan de Mooij [:jandem]]

Looks a lot like bug 994406.

Comment 6

[Jan de Mooij [:jandem]]

Eh bug 970252. Let's fix that one first and see if it fixes this bug too.

Comment 7

[Christian Holler (:decoder)]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 8

[Kannan Vijayan [:djvj]]

Just confirmed as dup.