Closed Bug 1111199 Opened 7 years ago Closed 7 years ago

Assertion failure: nativeOffset >= entry.nativeOffset, at js/src/jit/BaselineJIT.cpp:800

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla37
Tracking Status
firefox36 --- fixed
firefox37 --- fixed

People

(Reporter: decoder, Assigned: shu)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision f14dcd1c8c0b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-debug, run with --fuzzing-safe --no-threads --ion-eager):

g = newGlobal()
g.parent = this
g.eval("Debugger(parent).onExceptionUnwind=(function(){})")
try {
function f(code) {
    n = parseInt('', 0);
    return g("try{}catch(e){}", n)
}
function g(s, n) {
    s2 = s + s
    d = (n - (function  ()  {
            return "" + this.id + eval.id;
        } )().abstract) / 2
    m = g(s2, d)
}
f("switch(''){default:break;}")
} catch(exc1) {}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x08288fe7 in js::jit::BaselineScript::pcForNativeOffset (this=0x970ebd8, script=0xf6b4c258, nativeOffset=20, isReturn=true) at js/src/jit/BaselineJIT.cpp:800
800	    MOZ_ASSERT_IF(isReturn, nativeOffset >= entry.nativeOffset);
#0  0x08288fe7 in js::jit::BaselineScript::pcForNativeOffset (this=0x970ebd8, script=0xf6b4c258, nativeOffset=20, isReturn=true) at js/src/jit/BaselineJIT.cpp:800
#1  0x08289158 in pcForReturnOffset (nativeOffset=20, script=0xf6b4c258, this=<optimized out>) at js/src/jit/BaselineJIT.cpp:763
#2  js::jit::BaselineScript::pcForReturnAddress (this=0x970ebd8, script=0xf6b4c258, nativeAddress=0xf6a918cc "\213U\f\203\342\374\213Z\030\211]\350\213\334\071\035\300\271e\t\017\206#") at js/src/jit/BaselineJIT.cpp:772
#3  0x0830061c in CollectJitStackScripts (entries=..., activation=..., obs=..., cx=0x9670050) at js/src/jit/BaselineDebugModeOSR.cpp:220
#4  js::jit::RecompileOnStackBaselineScriptsForDebugMode (cx=0x9670050, obs=..., observing=js::Debugger::Observing) at js/src/jit/BaselineDebugModeOSR.cpp:825
#5  0x086b28ba in js::Debugger::updateExecutionObservabilityOfFrames (cx=0x9670050, obs=..., observing=js::Debugger::Observing) at js/src/vm/Debugger.cpp:1830
#6  0x086b2d97 in js::Debugger::ensureExecutionObservabilityOfFrame (cx=0x9670050, frame=...) at js/src/vm/Debugger.cpp:1993
#7  0x086e046f in js::Debugger::getScriptFrameWithIter (this=0x972bb90, cx=0x9670050, frame=..., maybeIter=0xffffaa64, vp=$jsval(-nan(0xfff8200000000))) at js/src/vm/Debugger.cpp:469
#8  0x086fe1ae in getScriptFrame (vp=..., iter=..., cx=0x9670050, this=0x972bb90) at js/src/vm/Debugger.h:686
#9  js::Debugger::fireExceptionUnwind (this=0x972bb90, cx=0x9670050, vp=$jsval(-nan(0xfff8200000000))) at js/src/vm/Debugger.cpp:1189
#10 0x086fe7d9 in js::Debugger::dispatchHook (cx=0x9670050, vp=$jsval(-nan(0xfff8200000000)), which=js::Debugger::OnExceptionUnwind, payload=0x0) at js/src/vm/Debugger.cpp:1282
#11 0x086fead8 in js::Debugger::slowPathOnExceptionUnwind (cx=0x9670050, frame=...) at js/src/vm/Debugger.cpp:738
#12 0x08375cda in onExceptionUnwind (frame=..., cx=0x9670050) at js/src/vm/Debugger-inl.h:57
#13 HandleExceptionBaseline (calledDebugEpilogue=0xffffaeeb, unwoundScopeToPc=<synthetic pointer>, rfe=0xffffb14c, frame=..., cx=0x9670050) at js/src/jit/JitFrames.cpp:593
#14 js::jit::HandleException (rfe=0xffffb14c) at js/src/jit/JitFrames.cpp:799
#15 0xf6a841e5 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
eax	0x0	0
ebx	0x9631ff4	157491188
ecx	0xf7e648ac	-135903060
edx	0x0	0
esi	0x0	0
edi	0x970ed1c	158395676
ebp	0xffffa1a8	4294943144
esp	0xffffa150	4294943056
eip	0x8288fe7 <js::jit::BaselineScript::pcForNativeOffset(JSScript*, unsigned int, bool)+903>
=> 0x8288fe7 <js::jit::BaselineScript::pcForNativeOffset(JSScript*, unsigned int, bool)+903>:	movl   $0x7b,0x0
   0x8288ff1 <js::jit::BaselineScript::pcForNativeOffset(JSScript*, unsigned int, bool)+913>:	call   0x804aa00 <abort@plt>



Not sure if we had this on file already (or maybe duped it to some other bug). I lost track of all the "onExceptionUnwind" bugs. Filing since I can't seem to find it either in FuzzManager nor in my dashboard.
Oops, a typo from bug 1103027, used the wrong pcFor*Addr method; not all
addresses from debug mode OSR during exception handling is going to be from an
IC return (could be the prologue, say), so should be using pcForNativeAddress
instead.

Easy one liner.
Attachment #8536055 - Flags: review?(jdemooij)
Assignee: nobody → shu
Attachment #8536055 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/610eedd26c68
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Blocks: 1114757
Fixed for Fx36 by the roll-up in bug 1114757.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.