Closed
Bug 1107913
Opened 11 years ago
Closed 11 years ago
Assertion failure: needsRecompileInfo() && recompInfo, at js/src/jit/BaselineDebugModeOSR.cpp:112 or Crash [@ PatchBaselineFramesForDebugMode]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla37
People
(Reporter: decoder, Assigned: shu)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
3.93 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 29d086b32a26 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --ion-eager --no-threads):
var g = newGlobal();
g.parent = this;
g.eval("new Debugger(parent).onExceptionUnwind = function () {};");
Object.preventExtensions(this);
evaluate("function testcase() { }", { noScriptRval : true, compileAndGo : true });
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000006ae13c in DebugModeOSREntry::takeRecompInfo (this=<optimized out>) at js/src/jit/BaselineDebugModeOSR.cpp:112
112 MOZ_ASSERT(needsRecompileInfo() && recompInfo);
#0 0x00000000006ae13c in DebugModeOSREntry::takeRecompInfo (this=<optimized out>) at js/src/jit/BaselineDebugModeOSR.cpp:112
#1 0x00000000006a13f6 in takeRecompInfo (this=<optimized out>) at js/src/jit/BaselineDebugModeOSR.cpp:112
#2 PatchBaselineFramesForDebugMode (start=<synthetic pointer>, entries=..., activation=..., obs=..., cx=0x1a04100) at js/src/jit/BaselineDebugModeOSR.cpp:472
#3 js::jit::RecompileOnStackBaselineScriptsForDebugMode (cx=0x1a04100, obs=..., observing=4294946832) at js/src/jit/BaselineDebugModeOSR.cpp:871
#4 0x0000000000a2c212 in js::Debugger::updateExecutionObservabilityOfFrames (cx=0x1a04100, obs=..., observing=js::Debugger::Observing) at js/src/vm/Debugger.cpp:1830
#5 0x0000000000a2c6d8 in js::Debugger::ensureExecutionObservabilityOfFrame (cx=0x1a04100, frame=...) at js/src/vm/Debugger.cpp:1995
#6 0x0000000000a5c54b in js::Debugger::getScriptFrameWithIter (this=0x1b141c0, cx=0x1a04100, frame=..., maybeIter=<optimized out>, vp=JSVAL_VOID) at js/src/vm/Debugger.cpp:469
#7 0x0000000000a5cde5 in getScriptFrame (vp=..., iter=..., cx=0x1a04100, this=0x1b141c0) at js/src/vm/Debugger.h:679
#8 js::Debugger::fireExceptionUnwind (this=0x1b141c0, cx=0x1a04100, vp=...) at js/src/vm/Debugger.cpp:1190
#9 0x0000000000a5d426 in js::Debugger::dispatchHook (cx=0x1a04100, vp=JSVAL_VOID, which=<optimized out>, payload=0x0) at js/src/vm/Debugger.cpp:1283
#10 0x0000000000a5d94b in js::Debugger::slowPathOnExceptionUnwind (cx=0x1a04100, frame=...) at js/src/vm/Debugger.cpp:738
#11 0x0000000000710466 in onExceptionUnwind (frame=..., cx=0x1a04100) at js/src/vm/Debugger-inl.h:57
#12 HandleExceptionBaseline (calledDebugEpilogue=0x7fffffffc07f, unwoundScopeToPc=<synthetic pointer>, rfe=0x7fffffffc780, frame=..., cx=0x1a04100) at js/src/jit/JitFrames.cpp:591
#13 js::jit::HandleException (rfe=0x7fffffffc780) at js/src/jit/JitFrames.cpp:791
#14 0x00007ffff7f6c21f in ?? ()
[...]
#27 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7fffffffb5f0 140737488336368
rcx 0x7ffff6cb3f60 140737333903200
rdx 0x0 0
rsi 0x7ffff6f87a80 140737336867456
rdi 0x7ffff6f86180 140737336861056
rbp 0x7fffffffa700 140737488332544
rsp 0x7fffffffa700 140737488332544
r8 0x7ffff7fe8740 140737354041152
r9 0x72746e65632d616c 8247338199356891500
r10 0x7fffffffa490 140737488331920
r11 0x7ffff6c3b940 140737333410112
r12 0x7fffffffc7e0 140737488340960
r13 0x0 0
r14 0x7fffffffc838 140737488341048
r15 0x7ffff7ea7280 140737352725120
rip 0x6ae13c <DebugModeOSREntry::takeRecompInfo()+28>
=> 0x6ae13c <DebugModeOSREntry::takeRecompInfo()+28>: movl $0x7b,0x0
0x6ae147 <DebugModeOSREntry::takeRecompInfo()+39>: callq 0x4049f0 <abort@plt>
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•11 years ago
|
||
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset: https://hg.mozilla.org/mozilla-central/rev/b160657339f8
user: Shu-yu Guo
date: Thu Nov 13 14:39:39 2014 -0800
summary: Bug 1032869 - Part 2: Move debuggee-ness to frames and selectively deoptimize when Debugger needs to observe execution. (r=jimb)
changeset: https://hg.mozilla.org/mozilla-central/rev/bb2f13ba7b1c
user: Shu-yu Guo
date: Thu Nov 13 14:39:40 2014 -0800
summary: Bug 1062629 - Off-thread compartment debug mode should match main thread compartment debug mode. (r=jimb)
changeset: https://hg.mozilla.org/mozilla-central/rev/1176cc3c3b34
user: Shu-yu Guo
date: Thu Nov 13 14:39:40 2014 -0800
summary: Bug 1063328 - Fix on-stack live iterator handling when bailing out in-place due to debug mode OSR. (r=jandem)
changeset: https://hg.mozilla.org/mozilla-central/rev/f8e316fa65bb
user: Shu-yu Guo
date: Thu Nov 13 14:39:40 2014 -0800
summary: Bug 1063330 - Remove the JS shell's evalInFrame. (r=jimb)
changeset: https://hg.mozilla.org/mozilla-central/rev/96a2f59f6ce4
user: Shu-yu Guo
date: Thu Nov 13 14:39:40 2014 -0800
summary: Bug 1032869 - Part 3: Don't consider onExceptionUnwind an all-execution-observing hook. (r=jandem)
This iteration took 1.044 seconds to run.
|
||
Comment 2•11 years ago
|
||
Shu-yu, are the bugs listed in comment 1 possible regressors?
Flags: needinfo?(shu)
|
Assignee | |
Comment 3•11 years ago
|
||
Attachment #8532635 -
Flags: review?(jdemooij)
|
|
Assignee | |
Updated•11 years ago
|
Flags: needinfo?(shu)
|
|
Assignee | |
Comment 4•11 years ago
|
||
FWIW this is a continuation of bug 1100337, which I apparently didn't fix fully.
|
||
Updated•11 years ago
|
Attachment #8532635 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 5•11 years ago
|
||
|
||
Comment 6•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
|
|
||
Comment 7•11 years ago
|
||
Fixed for Fx36 by the roll-up in bug 1114757.
You need to log in
before you can comment on or make changes to this bug.
Description
•