Closed Bug 1109375 Opened 5 years ago Closed 5 years ago

Crash [@ CloneOldBaselineStub] with Hit MOZ_CRASH(Bad stub kind) at js/src/jit/BaselineDebugModeOSR.cpp:744

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla37
Tracking Status
firefox36 --- fixed
firefox37 --- fixed

People

(Reporter: decoder, Assigned: shu)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision f1f48ccb2d4e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-debug, run with --fuzzing-safe --thread-count=2 main.js):

See attachment.


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x08301152 in CloneOldBaselineStub (cx=0x9675848, entries=..., entryIndex=0) at js/src/jit/BaselineDebugModeOSR.cpp:744
744	        MOZ_CRASH("Bad stub kind");
#0  0x08301152 in CloneOldBaselineStub (cx=0x9675848, entries=..., entryIndex=0) at js/src/jit/BaselineDebugModeOSR.cpp:744
#1  0x08302765 in js::jit::RecompileOnStackBaselineScriptsForDebugMode (cx=0x9675848, obs=..., observing=js::Debugger::Observing) at js/src/jit/BaselineDebugModeOSR.cpp:850
#2  0x086b37ba in js::Debugger::updateExecutionObservabilityOfFrames (cx=0x9675848, obs=..., observing=js::Debugger::Observing) at js/src/vm/Debugger.cpp:1830
#3  0x086b3c97 in js::Debugger::ensureExecutionObservabilityOfFrame (cx=0x9675848, frame=...) at js/src/vm/Debugger.cpp:1995
#4  0x086e127f in js::Debugger::getScriptFrameWithIter (this=0x9726560, cx=0x9675848, frame=..., maybeIter=0xffffb904, vp=$jsval(-nan(0xfff8200000000))) at js/src/vm/Debugger.cpp:469
#5  0x086fef85 in getScriptFrame (vp=..., iter=..., cx=0x9675848, this=0x9726560) at js/src/vm/Debugger.h:679
#6  js::Debugger::fireExceptionUnwind (this=0x9726560, cx=0x9675848, vp=$jsval(-nan(0xfff8200000000))) at js/src/vm/Debugger.cpp:1190
#7  0x086ff5a9 in js::Debugger::dispatchHook (cx=0x9675848, vp=$jsval(-nan(0xfff8200000000)), which=js::Debugger::OnExceptionUnwind, payload=0x0) at js/src/vm/Debugger.cpp:1283
#8  0x086ffb38 in js::Debugger::slowPathOnExceptionUnwind (cx=0x9675848, frame=...) at js/src/vm/Debugger.cpp:738
#9  0x08377a7a in onExceptionUnwind (frame=..., cx=0x9675848) at js/src/vm/Debugger-inl.h:57
#10 HandleExceptionBaseline (calledDebugEpilogue=0xffffbd8b, unwoundScopeToPc=<synthetic pointer>, rfe=0xffffbfec, frame=..., cx=0x9675848) at js/src/jit/JitFrames.cpp:591
#11 js::jit::HandleException (rfe=0xffffbfec) at js/src/jit/JitFrames.cpp:791
eax	0x0	0
ebx	0x9631ff4	157491188
ecx	0xf7e648ac	-135903060
edx	0x0	0
esi	0x830113a	137367866
edi	0x9732790	158541712
ebp	0xffffb078	4294946936
esp	0xffffb030	4294946864
eip	0x8301152 <CloneOldBaselineStub(JSContext*, DebugModeOSREntryVector&, size_t)+866>
=> 0x8301152 <CloneOldBaselineStub(JSContext*, DebugModeOSREntryVector&, size_t)+866>:	movl   $0x7b,0x0
   0x830115c <CloneOldBaselineStub(JSContext*, DebugModeOSREntryVector&, size_t)+876>:	call   0x804a9d0 <abort@plt>
Attached file Testcase
Bug 1049840 forgot to add a Clone method. It's needed as it's a "can call" stub
that can trigger debug mode OSR.
Attachment #8534054 - Flags: review?(jdemooij)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Comment on attachment 8534054 [details] [diff] [review]
Make ICGetProp_Generic clonable for debug mode OSR.

Review of attachment 8534054 [details] [diff] [review]:
-----------------------------------------------------------------

Can we make this (non-clonable stub that can toggle the debugger) assert immediately somehow, like when we compile the stub?
Attachment #8534054 - Flags: review?(jdemooij) → review+
(In reply to Jan de Mooij [:jandem] from comment #4)
> Comment on attachment 8534054 [details] [diff] [review]
> Make ICGetProp_Generic clonable for debug mode OSR.
> 
> Review of attachment 8534054 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> Can we make this (non-clonable stub that can toggle the debugger) assert
> immediately somehow, like when we compile the stub?

Not sure if we can do this with an assert. The analysis needed would be like a can-GC analysis: is there a path from the IC stub back to the VM and ultimately to debug mode OSR.
https://hg.mozilla.org/mozilla-central/rev/f10fd10b7e27
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Blocks: 1114757
Fixed for Fx36 by the roll-up in bug 1114757.
Assignee: nobody → shu
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.