Closed Bug 1108556 Opened 10 years ago Closed 10 years ago

Hit MOZ_CRASH(Invalid PC offset for IC entry.) at jit/BaselineJIT.cpp:586 or Crash [@ js::jit::BaselineScript::anyKindICEntryFromPCOffset]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1108145
Tracking Flags:
Tracking Status
firefox37 --- affected

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

The following testcase crashes on mozilla-central revision 035a951fc24a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager): var g = newGlobal(); g.parent = this; g.eval("new Debugger(parent).onExceptionUnwind = function () { hits++; };"); evaluate('\ var fe="v";\ for (i=0; String.fromCharCode(0x004E); i++)\ fe += fe;\ ', { compileAndGo : true }); Backtrace: Program received signal SIGSEGV, Segmentation fault. js::jit::BaselineScript::anyKindICEntryFromPCOffset (this=0x17f5e00, pcOffset=39) at js/src/jit/BaselineJIT.cpp:586 586 MOZ_CRASH("Invalid PC offset for IC entry."); #0 js::jit::BaselineScript::anyKindICEntryFromPCOffset (this=0x17f5e00, pcOffset=39) at js/src/jit/BaselineJIT.cpp:586 #1 0x00000000005bd322 in InitFromBailout (poppedLastSPSFrameOut=0x7fffffffc76f, excInfo=<optimized out>, callPC=<synthetic pointer>, nextCallee=0x0, startFrameFormals=..., builder=..., iter=..., ionScript=0x48, script=0x7ffff5961230, fun=0x0, callerPC=<optimized out>, caller=0x0, cx=0x16f1990, invalidate=<optimized out>) at js/src/jit/BaselineBailouts.cpp:1041 #2 js::jit::BailoutIonToBaseline (cx=0x16f1990, activation=<optimized out>, iter=..., invalidate=<optimized out>, bailoutInfo=0x7fffffffc760, excInfo=0x7fffffffc8e0, poppedLastSPSFrameOut=0x7fffffffc76f) at js/src/jit/BaselineBailouts.cpp:1510 #3 0x000000000052ec05 in js::jit::ExceptionHandlerBailout (cx=0x16f1990, frame=..., rfe=0x7fffffffd030, excInfo=..., overrecursed=0x7fffffffc97e) at js/src/jit/Bailouts.cpp:201 #4 0x00000000006378b3 in HandleExceptionIon (overrecursed=0x7fffffffc97e, rfe=0x7fffffffd030, frame=..., cx=0x16f1990) at js/src/jit/JitFrames.cpp:447 #5 js::jit::HandleException (rfe=0x7fffffffd030) at js/src/jit/JitFrames.cpp:745 [...] #11 0x0000000000000000 in ?? () rax 0x17f5f08 25124616 rbx 0x17f55c0 25122240 rcx 0x2c 44 rdx 0x31 49 rsi 0x27 39 rdi 0x17f5e00 25124352 rbp 0x7fffffffc8e0 140737488341216 rsp 0x7fffffffbe70 140737488338544 r8 0x7 7 r9 0x7 7 r10 0x14 20 r11 0x0 0 r12 0x7ffff589bc06 140737312832518 r13 0x17f5e00 25124352 r14 0x0 0 r15 0x0 0 rip 0x59d9cf <js::jit::BaselineScript::anyKindICEntryFromPCOffset(unsigned int)+159> => 0x59d9cf <js::jit::BaselineScript::anyKindICEntryFromPCOffset(unsigned int)+159>: movl $0x7b,0x0 0x59d9da <js::jit::BaselineScript::anyKindICEntryFromPCOffset(unsigned int)+170>: callq 0x4047e0 <abort@plt>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/b160657339f8 user: Shu-yu Guo date: Thu Nov 13 14:39:39 2014 -0800 summary: Bug 1032869 - Part 2: Move debuggee-ness to frames and selectively deoptimize when Debugger needs to observe execution. (r=jimb) changeset: https://hg.mozilla.org/mozilla-central/rev/bb2f13ba7b1c user: Shu-yu Guo date: Thu Nov 13 14:39:40 2014 -0800 summary: Bug 1062629 - Off-thread compartment debug mode should match main thread compartment debug mode. (r=jimb) changeset: https://hg.mozilla.org/mozilla-central/rev/1176cc3c3b34 user: Shu-yu Guo date: Thu Nov 13 14:39:40 2014 -0800 summary: Bug 1063328 - Fix on-stack live iterator handling when bailing out in-place due to debug mode OSR. (r=jandem) changeset: https://hg.mozilla.org/mozilla-central/rev/f8e316fa65bb user: Shu-yu Guo date: Thu Nov 13 14:39:40 2014 -0800 summary: Bug 1063330 - Remove the JS shell's evalInFrame. (r=jimb) changeset: https://hg.mozilla.org/mozilla-central/rev/96a2f59f6ce4 user: Shu-yu Guo date: Thu Nov 13 14:39:40 2014 -0800 summary: Bug 1032869 - Part 3: Don't consider onExceptionUnwind an all-execution-observing hook. (r=jandem) This iteration took 277.976 seconds to run.
Shu-yu, perhaps this is related to bug 1108145? (Except that the testcase here does not involve the timeout nor load functions)
Flags: needinfo?(shu)
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(shu)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.