Closed Bug 994406 Opened 6 years ago Closed 6 years ago

Crash [@ js::ProfileEntry::setPC] or Assertion failure: size_before == *profiler->size_, at vm/SPSProfiler.cpp

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 970252
Tracking Status
firefox31 --- affected

People

(Reporter: gkw, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(1 file)

Attached file debug and opt stacks
enableSPSProfilingAssertions(false)
function m() {
    try {
        (function g() {
            for (v of []) {}
            return g()
        })()
    } catch (e) {}
    (function() {})()
}
m()

asserts js debug shell on m-c changeset 690c810c8e3e with --ion-parallel-compile=off --ion-eager at Assertion failure: size_before == *profiler->size_, at vm/SPSProfiler.cpp and crashes js opt shell at js::ProfileEntry::setPC

My configure (opt) flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>

My configure (debug) flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>

Filing this separately from bug 970252 because this testcase crashes opt but that one doesn't. Locking s-s pending analysis by a dev.

Setting needinfo? from jandem because he was working on bug 970252. Feel free to dupe if this is indeed a dupe - but please add the testcase.
Flags: needinfo?(jdemooij)
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/7349a4fc4d58
user:        Terrence Cole
date:        Thu Oct 17 18:07:39 2013 -0700
summary:     Bug 928140 - Add postbarrier when inlining UnsafeSetReservedSlot; r=shu

Bug 928140 caused this opt crash to show up. Terrence, is it likely related?
Blocks: 928140
Flags: needinfo?(terrence)
(lldb) dis -p
js-opt-64-dm-ts-darwin-690c810c8e3e`js::ProfileEntry::setPC(unsigned char*) volatile + 18 [inlined] js::ProfileEntry::script() const volatile + 4 at SPSProfiler.cpp:336
js-opt-64-dm-ts-darwin-690c810c8e3e`js::ProfileEntry::setPC(unsigned char*) volatile + 14 at SPSProfiler.cpp:336:
-> 0x1003d4e92:  subl   0x18(%rax), %esi
   0x1003d4e95:  movl   %esi, %eax
   0x1003d4e97:  movl   %eax, 0x18(%rdi)
   0x1003d4e9a:  popq   %rbp
(lldb) register read $rax
     rax = 0x0000000000000000
(lldb) register read $esi
     esi = 0x0161b942
(lldb)

Looks like a null-deref at first glance, setting sec-high pending further analysis.
Group: core-security
Keywords: sec-high
It seems that inserting a few more instructions somewhere throws off one of SPS's internal counters, maybe? My patch certainly couldn't have caused this directly, so I'd guess that there is a broken assumption in SPS somewhere. I know absolutely nothing about SPS, so I'm certainly not the right person to investigate this.
Flags: needinfo?(terrence)
Perhaps :djvj might know?
Flags: needinfo?(kvijayan)
Looks a lot like bug 994406.
Flags: needinfo?(jdemooij)
Eh bug 970252. Let's fix that one first and see if it fixes this bug too.
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Depends on: 970252
Just confirmed as dup.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(kvijayan)
Resolution: --- → DUPLICATE
Duplicate of bug: 970252
Group: core-security → core-security-release
Group: javascript-core-security, core-security-release
You need to log in before you can comment on or make changes to this bug.