Closed
Bug 1111199
Opened 9 years ago
Closed 9 years ago
Assertion failure: nativeOffset >= entry.nativeOffset, at js/src/jit/BaselineJIT.cpp:800
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla37
People
(Reporter: decoder, Assigned: shu)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision f14dcd1c8c0b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-debug, run with --fuzzing-safe --no-threads --ion-eager): g = newGlobal() g.parent = this g.eval("Debugger(parent).onExceptionUnwind=(function(){})") try { function f(code) { n = parseInt('', 0); return g("try{}catch(e){}", n) } function g(s, n) { s2 = s + s d = (n - (function () { return "" + this.id + eval.id; } )().abstract) / 2 m = g(s2, d) } f("switch(''){default:break;}") } catch(exc1) {} Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x08288fe7 in js::jit::BaselineScript::pcForNativeOffset (this=0x970ebd8, script=0xf6b4c258, nativeOffset=20, isReturn=true) at js/src/jit/BaselineJIT.cpp:800 800 MOZ_ASSERT_IF(isReturn, nativeOffset >= entry.nativeOffset); #0 0x08288fe7 in js::jit::BaselineScript::pcForNativeOffset (this=0x970ebd8, script=0xf6b4c258, nativeOffset=20, isReturn=true) at js/src/jit/BaselineJIT.cpp:800 #1 0x08289158 in pcForReturnOffset (nativeOffset=20, script=0xf6b4c258, this=<optimized out>) at js/src/jit/BaselineJIT.cpp:763 #2 js::jit::BaselineScript::pcForReturnAddress (this=0x970ebd8, script=0xf6b4c258, nativeAddress=0xf6a918cc "\213U\f\203\342\374\213Z\030\211]\350\213\334\071\035\300\271e\t\017\206#") at js/src/jit/BaselineJIT.cpp:772 #3 0x0830061c in CollectJitStackScripts (entries=..., activation=..., obs=..., cx=0x9670050) at js/src/jit/BaselineDebugModeOSR.cpp:220 #4 js::jit::RecompileOnStackBaselineScriptsForDebugMode (cx=0x9670050, obs=..., observing=js::Debugger::Observing) at js/src/jit/BaselineDebugModeOSR.cpp:825 #5 0x086b28ba in js::Debugger::updateExecutionObservabilityOfFrames (cx=0x9670050, obs=..., observing=js::Debugger::Observing) at js/src/vm/Debugger.cpp:1830 #6 0x086b2d97 in js::Debugger::ensureExecutionObservabilityOfFrame (cx=0x9670050, frame=...) at js/src/vm/Debugger.cpp:1993 #7 0x086e046f in js::Debugger::getScriptFrameWithIter (this=0x972bb90, cx=0x9670050, frame=..., maybeIter=0xffffaa64, vp=$jsval(-nan(0xfff8200000000))) at js/src/vm/Debugger.cpp:469 #8 0x086fe1ae in getScriptFrame (vp=..., iter=..., cx=0x9670050, this=0x972bb90) at js/src/vm/Debugger.h:686 #9 js::Debugger::fireExceptionUnwind (this=0x972bb90, cx=0x9670050, vp=$jsval(-nan(0xfff8200000000))) at js/src/vm/Debugger.cpp:1189 #10 0x086fe7d9 in js::Debugger::dispatchHook (cx=0x9670050, vp=$jsval(-nan(0xfff8200000000)), which=js::Debugger::OnExceptionUnwind, payload=0x0) at js/src/vm/Debugger.cpp:1282 #11 0x086fead8 in js::Debugger::slowPathOnExceptionUnwind (cx=0x9670050, frame=...) at js/src/vm/Debugger.cpp:738 #12 0x08375cda in onExceptionUnwind (frame=..., cx=0x9670050) at js/src/vm/Debugger-inl.h:57 #13 HandleExceptionBaseline (calledDebugEpilogue=0xffffaeeb, unwoundScopeToPc=<synthetic pointer>, rfe=0xffffb14c, frame=..., cx=0x9670050) at js/src/jit/JitFrames.cpp:593 #14 js::jit::HandleException (rfe=0xffffb14c) at js/src/jit/JitFrames.cpp:799 #15 0xf6a841e5 in ?? () Backtrace stopped: previous frame inner to this frame (corrupt stack?) eax 0x0 0 ebx 0x9631ff4 157491188 ecx 0xf7e648ac -135903060 edx 0x0 0 esi 0x0 0 edi 0x970ed1c 158395676 ebp 0xffffa1a8 4294943144 esp 0xffffa150 4294943056 eip 0x8288fe7 <js::jit::BaselineScript::pcForNativeOffset(JSScript*, unsigned int, bool)+903> => 0x8288fe7 <js::jit::BaselineScript::pcForNativeOffset(JSScript*, unsigned int, bool)+903>: movl $0x7b,0x0 0x8288ff1 <js::jit::BaselineScript::pcForNativeOffset(JSScript*, unsigned int, bool)+913>: call 0x804aa00 <abort@plt> Not sure if we had this on file already (or maybe duped it to some other bug). I lost track of all the "onExceptionUnwind" bugs. Filing since I can't seem to find it either in FuzzManager nor in my dashboard.
Assignee | ||
Comment 1•9 years ago
|
||
Oops, a typo from bug 1103027, used the wrong pcFor*Addr method; not all addresses from debug mode OSR during exception handling is going to be from an IC return (could be the prologue, say), so should be using pcForNativeAddress instead. Easy one liner.
Attachment #8536055 -
Flags: review?(jdemooij)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → shu
Updated•9 years ago
|
Attachment #8536055 -
Flags: review?(jdemooij) → review+
Comment 2•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/610eedd26c68
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Comment 3•9 years ago
|
||
Fixed for Fx36 by the roll-up in bug 1114757.
You need to log in
before you can comment on or make changes to this bug.
Description
•