Closed Bug 1108797 Opened 5 years ago Closed 5 years ago

Crash [@ js::jit::Simulator::readW] or Assertion failure: lastNativeOffset == nativeOffset, at jit/BaselineJIT.cpp with yield

Categories

(Core :: JavaScript Engine, defect, critical)

ARM
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla37
Tracking Status
firefox36 --- fixed
firefox37 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:testComment=2,origRev=18188c19a3c3][fuzzblocker])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision af4f2eea4e27 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-arm-simulator --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager --arm-asm-nop-fill=1):

function generator() {
    yield (1);
}
var iter = generator();
iter.next();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::jit::Simulator::readW (addr=addr@entry=0, instr=instr@entry=0xf33eea7c, this=<error reading variable: Unhandled dwarf expression opcode 0xfa>) at js/src/jit/arm/Simulator-arm.cpp:1498
1498	        return *ptr;
#0  js::jit::Simulator::readW (addr=addr@entry=0, instr=instr@entry=0xf33eea7c, this=<error reading variable: Unhandled dwarf expression opcode 0xfa>) at js/src/jit/arm/Simulator-arm.cpp:1498
#1  0x0847f392 in js::jit::Simulator::decodeType3 (this=0x968a3c8, instr=0xf33eea7c) at js/src/jit/arm/Simulator-arm.cpp:3207
#2  0x084b7cf5 in js::jit::Simulator::instructionDecode (this=this@entry=0x968a3c8, instr=instr@entry=0xf33eea7c) at js/src/jit/arm/Simulator-arm.cpp:4150
#3  0x084ef064 in js::jit::Simulator::execute<false> (this=0x968a3c8) at js/src/jit/arm/Simulator-arm.cpp:4217
#4  0x084bb6dd in js::jit::Simulator::callInternal (this=this@entry=0x968a3c8, entry=entry@entry=0xf3385010 "\377\377\377\352\360O-\351\377\377\377\352\r\200\240\341\377\377\377\352\274\301\f\343\377\377\377\352e\311@\343\377\377\377\352") at js/src/jit/arm/Simulator-arm.cpp:4305
#5  0x084bb93c in js::jit::Simulator::call (this=0x968a3c8, entry=0xf3385010 "\377\377\377\352\360O-\351\377\377\377\352\r\200\240\341\377\377\377\352\274\301\f\343\377\377\377\352e\311@\343\377\377\377\352", argument_count=8) at js/src/jit/arm/Simulator-arm.cpp:4388
#6  0x0827e366 in EnterBaseline (cx=cx@entry=0x968ae40, data=...) at js/src/jit/BaselineJIT.cpp:111
#7  0x0827eb8d in js::jit::EnterBaselineMethod (cx=0x968ae40, state=...) at js/src/jit/BaselineJIT.cpp:143
eax	0x0	0
ebx	0x962aff4	157462516
ecx	0x0	0
edx	0xf33eea7c	-213980548
esi	0x0	0
edi	0xf33eea7c	-213980548
ebp	0xffffc538	4294952248
esp	0xffffc520	4294952224
eip	0x8473c2d <js::jit::Simulator::readW(int, js::jit::SimInstruction*)+13>
=> 0x8473c2d <js::jit::Simulator::readW(int, js::jit::SimInstruction*)+13>:	mov    (%esi),%eax
   0x8473c2f <js::jit::Simulator::readW(int, js::jit::SimInstruction*)+15>:	add    $0x14,%esp
Group: core-security
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
for (z in (function () {
    (s, {
        f: yield
    })
})()) {}

asserts js debug shell on m-c rev 18188c19a3c3 with --fuzzing-safe --no-threads --arm-asm-nop-fill=5 --ion-eager at Assertion failure: lastNativeOffset == nativeOffset, at jit/BaselineJIT.cpp

Debug configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
Keywords: assertion
Summary: Crash [@ js::jit::Simulator::readW] → Crash [@ js::jit::Simulator::readW] or Assertion failure: lastNativeOffset == nativeOffset, at jit/BaselineJIT.cpp with yield
Whiteboard: [jsbugmon:] → [jsbugmon:update,testComment=2,origRev=18188c19a3c3]
Whiteboard: [jsbugmon:update,testComment=2,origRev=18188c19a3c3] → [jsbugmon:testComment=2,origRev=18188c19a3c3]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
(lldb) bt 5
* thread #1: tid = 0x65af70, 0x0026f687 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-18188c19a3c3`js::jit::BaselineScript::pcForNativeOffset(this=<unavailable>, script=<unavailable>, nativeOffset=<unavailable>, isReturn=<unavailable>) + 1159 at BaselineJIT.cpp:788, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0026f687 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-18188c19a3c3`js::jit::BaselineScript::pcForNativeOffset(this=<unavailable>, script=<unavailable>, nativeOffset=<unavailable>, isReturn=<unavailable>) + 1159 at BaselineJIT.cpp:788
    frame #1: 0x0026f6f3 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-18188c19a3c3`js::jit::BaselineScript::pcForReturnAddress(JSScript*, unsigned char*) [inlined] js::jit::BaselineScript::pcForReturnOffset(this=<unavailable>, this=0x020dd000, script=0x01e4c258, nativeOffset=<unavailable>) + 83 at BaselineJIT.cpp:767
    frame #2: 0x0026f6db js-dbg-opt-32-dm-nsprBuild-armSim-darwin-18188c19a3c3`js::jit::BaselineScript::pcForReturnAddress(this=0x020dd000, script=0x01e4c258, nativeAddress=<unavailable>) + 59 at BaselineJIT.cpp:776
    frame #3: 0x00348362 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-18188c19a3c3`js::jit::JitFrameIterator::baselineScriptAndPc(this=<unavailable>, scriptRes=<unavailable>, pcRes=<unavailable>) const + 242 at JitFrames.cpp:262
    frame #4: 0x0077aa41 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-18188c19a3c3`js::FrameIter::popJitFrame() [inlined] js::FrameIter::nextJitFrame() + 23 at Stack.cpp:670
(lldb)
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d8cd4f0de4f7
user:        Jan de Mooij
date:        Wed Nov 12 12:12:39 2014 +0100
summary:     Bug 1093573 part 10 - Baseline-compile JSOP_RESUME. r=shu,wingo

Jan, is bug 1093573 a likely regressor?
Flags: needinfo?(jdemooij)
I'm hitting this very often with different signatures. Can someone please look into this issue?
Whiteboard: [jsbugmon:testComment=2,origRev=18188c19a3c3] → [jsbugmon:testComment=2,origRev=18188c19a3c3][fuzzblocker]
(In reply to Christian Holler (:decoder) from comment #6)
> I'm hitting this very often with different signatures. Can someone please
> look into this issue?

Looking into this now.
Attached patch PatchSplinter Review
One-liner to add AutoForbidPools, fixes the tests in this bug.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8537880 - Flags: review?(dtc-moz)
Comment on attachment 8537880 [details] [diff] [review]
Patch

Review of attachment 8537880 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch.
Attachment #8537880 - Flags: review?(dtc-moz) → review+
Comment on attachment 8537880 [details] [diff] [review]
Patch

Approval Request Comment
[Feature/regressing bug #]: Bug 1093573.
[User impact if declined]: Crashes on Android/b2g.
[Describe test coverage new/current, TBPL]: Fixes reported tests, passes tests.
[Risks and why]: Very low risk, only affects mobile builds. 
[String/UUID change made/needed]: None.
Attachment #8537880 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/df379644b52f

Test? :)
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Attachment #8537880 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.