Closed Bug 1133791 Opened 9 years ago Closed 9 years ago

CRASH: browser/devtools/performance/test/browser_perf-compatibility-04.js | application crashed

Categories

(DevTools :: Performance Tools (Profiler/Timeline), defect)

Product:
DevTools
Component:
Performance Tools (Profiler/Timeline)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: vporof, Unassigned)

References

Details

      No description provided.
No longer blocks: perf-tool-v2, enable-perf-tool
I can't make this crash, but I did manage to make it hang.
The hang has a useless stack:

(gdb) bt
#0  0x00007f9b2237fecb in ?? ()
#1  0x0000000000000000 in ?? ()

Disassembling around the PC and single-stepping a bit shows what seems to be JIT output:

(gdb) disas 0x7f9b2237fec3, 0x7f9b2237feff
Dump of assembler code from 0x7f9b2237fec3 to 0x7f9b2237feff:
=> 0x00007f9b2237fec3:	xorpd  %xmm2,%xmm2
   0x00007f9b2237fec7:	cvtsi2sd %edx,%xmm2
   0x00007f9b2237fecb:	movapd %xmm0,%xmm3
   0x00007f9b2237fecf:	mulsd  %xmm2,%xmm3
   0x00007f9b2237fed3:	ucomisd %xmm3,%xmm1
   0x00007f9b2237fed7:	jbe    0x7f9b2237fee4
   0x00007f9b2237fedd:	shl    %edx
   0x00007f9b2237fedf:	jmpq   0x7f9b2237fec3
   0x00007f9b2237fee4:	movq   %xmm3,%rcx
   0x00007f9b2237fee9:	add    $0x20,%rsp
   0x00007f9b2237feed:	jmpq   0x7f9b22380110
   0x00007f9b2237fef2:	retq   
   0x00007f9b2237fef3:	nop
   0x00007f9b2237fef4:	nop
   0x00007f9b2237fef5:	nop
   0x00007f9b2237fef6:	nop
   0x00007f9b2237fef7:	nop
   0x00007f9b2237fef8:	nop
   0x00007f9b2237fef9:	nop
   0x00007f9b2237fefa:	nop
   0x00007f9b2237fefb:	movabs $0x6906d70,%r11
End of assembler dump.


In another session I tried getting a stack trace from SpiderMonkey, but this crashed:
(gdb) js

Program received signal SIGSEGV, Segmentation fault.
js::jit::JitFrameIterator::operator++ (this=this@entry=0x7fffffff4e88)
    at /home/tromey/firefox-git/gecko-dev/js/src/jit/JitFrames-inl.h:40
40	    CommonFrameLayout *current = (CommonFrameLayout *) current_;
The program being debugged was signaled while in a function called from GDB.
GDB remains in the frame where the signal was received.
To change this behavior use "set unwindonsignal on".
Evaluation of the expression containing the function
(DumpJSStack()) will be abandoned.
When the function is done executing, GDB will silently stop.

Shu said he thinks it isn't possible to get the JS stack from any arbitrary spot anyhow.
Very likely fixed by bug 1137503
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.