1122581 - Assertion failure: hasUsableAbstractFramePtr(), at js/src/vm/Stack.cpp:993 or Crash [@ hasArgsObj] with getBacktrace function

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision cac6192956ab (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --no-threads --ion-eager):

function f(x, y) {
    for (var i = 0; i < 40; ++i) {
        var stack = getBacktrace({args: true, locals: true, thisprops: true});
        arguments[1] = 7;
    }
}
f(1, 2);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000ac1ec7 in js::FrameIter::abstractFramePtr (this=0x7fffffffb8c0) at js/src/vm/Stack.cpp:993
993	    MOZ_ASSERT(hasUsableAbstractFramePtr());
#0  0x0000000000ac1ec7 in js::FrameIter::abstractFramePtr (this=0x7fffffffb8c0) at js/src/vm/Stack.cpp:993
#1  0x0000000000ac20ae in js::FrameIter::hasArgsObj (this=<optimized out>) at js/src/vm/Stack.cpp:1201
#2  0x00000000008c03d7 in FormatFrame (showThisProps=true, showLocals=true, showArgs=true, num=0, buf=0x1b5a7d0 "0 f(", iter=..., cx=0x19db450) at js/src/jsfriendapi.cpp:741
#3  JS::FormatStackDump (cx=0x19db450, buf=<optimized out>, showArgs=true, showLocals=true, showThisProps=true) at js/src/jsfriendapi.cpp:867
#4  0x00000000004b0c7b in GetBacktrace (cx=0x19db450, argc=<optimized out>, vp=0x7fffffffbed0) at js/src/builtin/TestingFunctions.cpp:1815
#5  0x00007ffff7f04657 in ?? ()
#6  0x00007ffff7e586d0 in ?? ()
#7  0x00007fffffffbea8 in ?? ()
#8  0x0000000000000001 in ?? ()
#9  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffb8c0	140737488337088
rcx	0x7ffff6cb7910	140737333917968
rdx	0x0	0
rsi	0x7ffff6f8baa0	140737336883872
rdi	0x7ffff6f8a180	140737336877440
rbp	0x7fffffffb5f0	140737488336368
rsp	0x7fffffffb5b0	140737488336304
r8	0x7ffff7fe8740	140737354041152
r9	0x72746e65632d616c	8247338199356891500
r10	0x7fffffffb340	140737488335680
r11	0x7ffff6c3fc90	140737333427344
r12	0x19db450	27112528
r13	0x1b5a7d0	28682192
r14	0xffffff01	4294967041
r15	0x7fffffffb6c0	140737488336576
rip	0xac1ec7 <js::FrameIter::abstractFramePtr() const+375>
=> 0xac1ec7 <js::FrameIter::abstractFramePtr() const+375>:	movl   $0x3e1,0x0
   0xac1ed2 <js::FrameIter::abstractFramePtr() const+386>:	callq  0x4049f0 <abort@plt>


Likely shell-only.

Comment 1

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/549b4ef82544
user:        Steve Fink
date:        Tue Jun 10 15:10:19 2014 -0700
summary:     Bug 1015339 - Add functions for getting and dumping the current backtrace, r=jandem

This iteration took 349.609 seconds to run.

Comment 2

[Christian Holler (:decoder)]

Needinfo from sfink based on comment 1. This still reproduces frequently.

Comment 3

[Christian Holler (:decoder)]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 4

[Jan de Mooij [:jandem]]

Attachment: Patch

iter.hasArgsObj() requires iter.hasUsableAbstractFramePtr(), so this patch restructures FormatFrame a bit to handle this properly.

Comment 5

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/72ca9f7f9565

Comment 6

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/72ca9f7f9565