Closed Bug 1151634 Opened 9 years ago Closed 9 years ago

Crash [@ JS::ProfilingFrameIterator::extractStack] or Assertion failure: nativeStartAddr, at jit/JitcodeMap.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla40
Tracking Flags:
Tracking Status
firefox40 --- fixed

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords)

Crash Data

Attachments

(3 files)

stack
9.62 KB, text/plain
Details
stack of opt crash
8.97 KB, text/plain
Details
Patch a valid return address for debug mode OSR from exception handler when profiling is enabled.
3.34 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
// Randomly chosen test: js/src/jit-test/tests/debug/bug1106164.js
var g = newGlobal();
g.parent = this;
g.eval("new Debugger(parent).onExceptionUnwind = function () { };");
enableSPSProfiling();
// Randomly chosen test: js/src/jit-test/tests/profiler/debugmode-osr-resume-addr.js
enableSingleStepProfiling();
// jsfunfuzz-generated
a()

asserts js debug ARM-simulator shell on m-c changeset 883e17fc475f with --fuzzing-safe --no-threads --ion-eager at Assertion failure: nativeStartAddr, at jit/JitcodeMap.h and crashes js opt ARM-simulator shell at JS::ProfilingFrameIterator::extractStack.

Debug configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build --32 --enable-arm-simulator" -r 883e17fc475f

Opt configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --disable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--disable-debug --enable-more-deterministic --enable-nspr-build --32 --enable-arm-simulator" -r 883e17fc475f

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/88a1963baa28
user:        Shu-yu Guo
date:        Mon Mar 09 18:55:26 2015 -0700
summary:     Bug 1140741 - Teach JitProfilingFrameIterator to read DebugModeOSRInfo. (r=djvj)

Shu-yu, is bug 1140741 a likely regressor?
Flags: needinfo?(shu)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0x943c8, 0x00531827 js-dbg-32-dm-nsprBuild-armSim-darwin-883e17fc475f`js::jit::JitcodeGlobalEntry::BaseEntry::init(this=<unavailable>, kind=<unavailable>, code=<unavailable>, nativeStartAddr=<unavailable>, nativeEndAddr=<unavailable>) + 247 at JitcodeMap.h:164, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00531827 js-dbg-32-dm-nsprBuild-armSim-darwin-883e17fc475f`js::jit::JitcodeGlobalEntry::BaseEntry::init(this=<unavailable>, kind=<unavailable>, code=<unavailable>, nativeStartAddr=<unavailable>, nativeEndAddr=<unavailable>) + 247 at JitcodeMap.h:164
    frame #1: 0x00501de4 js-dbg-32-dm-nsprBuild-armSim-darwin-883e17fc475f`js::jit::JitcodeGlobalTable::lookupInternal(void*) [inlined] js::jit::JitcodeGlobalEntry::QueryEntry::init(this=0x0000000f, addr=<unavailable>) + 68 at JitcodeMap.h:489
    frame #2: 0x00501dbe js-dbg-32-dm-nsprBuild-armSim-darwin-883e17fc475f`js::jit::JitcodeGlobalTable::lookupInternal(void*) [inlined] js::jit::JitcodeGlobalEntry::MakeQuery(ptr=<unavailable>) at JitcodeMap.h:562
    frame #3: 0x00501dbe js-dbg-32-dm-nsprBuild-armSim-darwin-883e17fc475f`js::jit::JitcodeGlobalTable::lookupInternal(this=0x01dcd5d0, ptr=0x00000000) + 30 at JitcodeMap.cpp:465
    frame #4: 0x0048b226 js-dbg-32-dm-nsprBuild-armSim-darwin-883e17fc475f`js::jit::JitcodeGlobalTable::lookup(this=<unavailable>, ptr=<unavailable>, result=0xbfffd430, rt=0x01d43000) + 38 at JitcodeMap.cpp:421
(lldb)
Attached file stack of opt crash 
(lldb) bt 5
* thread #1: tid = 0x9448f, 0x0018048c js-32-dm-nsprBuild-armSim-darwin-883e17fc475f`JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const [inlined] js::jit::JitcodeGlobalEntry::callStackAtAddr(this=0x00000000, this=<unavailable>, rt=<unavailable>, ptr=<unavailable>, maxResults=<unavailable>) const at JitcodeMap.h:742, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0018048c js-32-dm-nsprBuild-armSim-darwin-883e17fc475f`JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const [inlined] js::jit::JitcodeGlobalEntry::callStackAtAddr(this=0x00000000, this=<unavailable>, rt=<unavailable>, ptr=<unavailable>, maxResults=<unavailable>) const at JitcodeMap.h:742
    frame #1: 0x0018048c js-32-dm-nsprBuild-armSim-darwin-883e17fc475f`JS::ProfilingFrameIterator::extractStack(this=<unavailable>, frames=<unavailable>, offset=<unavailable>, end=<unavailable>) const + 588 at Stack.cpp:1924
    frame #2: 0x00010c48 js-32-dm-nsprBuild-armSim-darwin-883e17fc475f`SingleStepCallback(arg=<unavailable>, sim=<unavailable>, pc=<unavailable>) + 280 at js.cpp:4156
    frame #3: 0x00450e94 js-32-dm-nsprBuild-armSim-darwin-883e17fc475f`void js::jit::Simulator::execute<false>(this=0x01772000) + 52 at Simulator-arm.cpp:4218
    frame #4: 0x003fed47 js-32-dm-nsprBuild-armSim-darwin-883e17fc475f`js::jit::Simulator::call(unsigned char*, int, ...) [inlined] js::jit::Simulator::callInternal(entry=<unavailable>) + 213 at Simulator-arm.cpp:4321
(lldb)
I'm not personally a fan of this fix, but I think it's the best we can
realistically do. The issue here is that unlike the rest of the engine,
JitProfilingFrameIterator can't use the override pc right now.

With delayed symbolication, where we save sampled native code addrs for
symbolication later, we actually need to save a real code pointer. To teach
JitProfilingFrameIterator and nsProfiler how to deal with override pcs as well
as native addresses isn't worth it for just this corner case.

Let me know what you think.
Attachment #8588845 - Flags: review?(jdemooij)
Flags: needinfo?(shu)
Comment on attachment 8588845 [details] [diff] [review]
Patch a valid return address for debug mode OSR from exception handler when profiling is enabled.

Review of attachment 8588845 [details] [diff] [review]:
-----------------------------------------------------------------

Hm yes this seems simpler than the alternatives.
Attachment #8588845 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/5e0f94962830
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox40: affectedfixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: