Closed Bug 1140741 Opened 7 years ago Closed 7 years ago

Assertion failure: success, at js/src/jit/JitcodeMap.h:872

Categories

(Core :: JavaScript Engine, defect)

ARM
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla39
Tracking Status
firefox39 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file, 1 obsolete file)

The following testcase crashes on mozilla-central revision 56492f7244a9 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-arm-simulator --enable-debug, run with --baseline-eager min.js):

enableSPSProfiling();
enableSingleStepProfiling();
var g = newGlobal();
var dbg = Debugger(g);
dbg.onDebuggerStatement = function (frame) {};
g.eval("var line = new Error().lineNumber; debugger;");



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x082ade05 in lookupInfallible (rt=<optimized out>, result=0xffffa290, ptr=0xf578f31c, this=0x96ca500) at js/src/jit/JitcodeMap.h:872
#0  0x082ade05 in lookupInfallible (rt=<optimized out>, result=0xffffa290, ptr=0xf578f31c, this=0x96ca500) at js/src/jit/JitcodeMap.h:872
#1  JS::ProfilingFrameIterator::extractStack (this=this@entry=0xffffa468, frames=frames@entry=0xffffa490, offset=offset@entry=0, end=end@entry=16) at js/src/vm/Stack.cpp:1884
#2  0x080c58ce in SingleStepCallback (arg=<optimized out>, sim=<optimized out>, pc=0x0) at js/src/shell/js.cpp:4212
#3  0x086086d3 in execute<false> (this=0x965ee20) at js/src/jit/arm/Simulator-arm.cpp:4218
#4  js::jit::Simulator::callInternal (this=this@entry=0x965ee20, entry=entry@entry=0xf57849d0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4321
#5  0x08608aee in js::jit::Simulator::call (this=0x965ee20, entry=entry@entry=0xf57849d0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4404
#6  0x083c5f8a in EnterBaseline (cx=cx@entry=0x965fae8, data=...) at js/src/jit/BaselineJIT.cpp:122
#7  0x083f8749 in js::jit::EnterBaselineMethod (cx=cx@entry=0x965fae8, state=...) at js/src/jit/BaselineJIT.cpp:154
#8  0x08274440 in js::RunScript (cx=cx@entry=0x965fae8, state=...) at js/src/vm/Interpreter.cpp:438
#9  0x0827476c in js::Invoke (cx=cx@entry=0x965fae8, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:517
#10 0x08275714 in js::Invoke (cx=cx@entry=0x965fae8, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0xffffb0b8, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:554
#11 0x08776667 in js::Debugger::fireDebuggerStatement (this=this@entry=0x97220f0, cx=cx@entry=0x965fae8, vp=vp@entry=...) at js/src/vm/Debugger.cpp:1173
#12 0x08785df7 in js::Debugger::dispatchHook (cx=cx@entry=0x965fae8, vp=vp@entry=..., which=which@entry=js::Debugger::OnDebuggerStatement, payload=...) at js/src/vm/Debugger.cpp:1287
#13 0x08785fc0 in js::Debugger::slowPathOnDebuggerStatement (cx=cx@entry=0x965fae8, frame=frame@entry=...) at js/src/vm/Debugger.cpp:696
#14 0x085c14da in onDebuggerStatement (frame=..., cx=0x965fae8) at js/src/vm/Debugger-inl.h:50
#15 js::jit::OnDebuggerStatement (cx=0x965fae8, frame=0xf59fedc0, pc=0x9723ecf "s\231\210\004\215\004ˈ\aΈ\377\377\377\375\210\033\211\t", mustReturn=0xf59feda0) at js/src/jit/VMFunctions.cpp:953
#16 0x086068b5 in js::jit::Simulator::softwareInterrupt (this=0x965ee20, instr=0x96ca33c) at js/src/jit/arm/Simulator-arm.cpp:2159
#17 0x08606ad6 in js::jit::Simulator::decodeType7 (this=0x965ee20, instr=0x96ca33c) at js/src/jit/arm/Simulator-arm.cpp:3259
#18 0x08604dc5 in js::jit::Simulator::instructionDecode (this=this@entry=0x965ee20, instr=instr@entry=0x96ca33c) at js/src/jit/arm/Simulator-arm.cpp:4178
#19 0x0860864c in execute<false> (this=0x965ee20) at js/src/jit/arm/Simulator-arm.cpp:4233
#20 js::jit::Simulator::callInternal (this=this@entry=0x965ee20, entry=entry@entry=0xf57849d0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4321
#21 0x08608aee in js::jit::Simulator::call (this=0x965ee20, entry=entry@entry=0xf57849d0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4404
#22 0x083c5f8a in EnterBaseline (cx=cx@entry=0x965fae8, data=...) at js/src/jit/BaselineJIT.cpp:122
#23 0x083f8749 in js::jit::EnterBaselineMethod (cx=cx@entry=0x965fae8, state=...) at js/src/jit/BaselineJIT.cpp:154
#24 0x08274440 in js::RunScript (cx=cx@entry=0x965fae8, state=...) at js/src/vm/Interpreter.cpp:438
#25 0x0827cccd in js::ExecuteKernel (cx=cx@entry=0x965fae8, script=script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_INDIRECT_EVAL, evalInFrame=evalInFrame@entry=..., result=0xffffc3fc) at js/src/vm/Interpreter.cpp:654
#26 0x08180639 in EvalKernel (cx=cx@entry=0x965fae8, args=..., evalType=evalType@entry=INDIRECT_EVAL, caller=caller@entry=..., scopeobj=scopeobj@entry=..., pc=pc@entry=0x0) at js/src/builtin/Eval.cpp:348
#27 0x08180c7d in js::IndirectEval (cx=0x965fae8, argc=1, vp=0xffffc3fc) at js/src/builtin/Eval.cpp:470
#28 0x08282286 in js::CallJSNative (cx=0x965fae8, native=0x8180c00 <js::IndirectEval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:226
#29 0x08274676 in js::Invoke (cx=cx@entry=0x965fae8, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#30 0x08275714 in js::Invoke (cx=cx@entry=0x965fae8, thisv=..., fval=..., argc=1, argv=0xffffcacc, rval=...) at js/src/vm/Interpreter.cpp:554
#31 0x0875d977 in js::DirectProxyHandler::call (this=this@entry=0x962b29c <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x965fae8, proxy=proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:76
#32 0x0872c315 in js::CrossCompartmentWrapper::call (this=0x962b29c <js::CrossCompartmentWrapper::singleton>, cx=0x965fae8, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:286
#33 0x0875bc05 in js::Proxy::call (cx=cx@entry=0x965fae8, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:382
#34 0x0875bccb in js::proxy_Call (cx=0x965fae8, argc=1, vp=0xffffcabc) at js/src/proxy/Proxy.cpp:695
#35 0x08282286 in js::CallJSNative (cx=0x965fae8, native=0x875bc60 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:226
#36 0x08274676 in js::Invoke (cx=cx@entry=0x965fae8, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#37 0x08275714 in js::Invoke (cx=cx@entry=0x965fae8, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0xf59feed0, rval=...) at js/src/vm/Interpreter.cpp:554
#38 0x0844fc79 in js::jit::DoCallFallback (cx=0x965fae8, frame=0xf59fef00, stub_=0x9719b68, argc=1, vp=0xf59feec0, res=...) at js/src/jit/BaselineIC.cpp:9648
#39 0x08606893 in js::jit::Simulator::softwareInterrupt (this=0x965ee20, instr=0x96f0fbc) at js/src/jit/arm/Simulator-arm.cpp:2173
#40 0x08606ad6 in js::jit::Simulator::decodeType7 (this=0x965ee20, instr=0x96f0fbc) at js/src/jit/arm/Simulator-arm.cpp:3259
#41 0x08604dc5 in js::jit::Simulator::instructionDecode (this=this@entry=0x965ee20, instr=instr@entry=0x96f0fbc) at js/src/jit/arm/Simulator-arm.cpp:4178
#42 0x0860864c in execute<false> (this=0x965ee20) at js/src/jit/arm/Simulator-arm.cpp:4233
#43 js::jit::Simulator::callInternal (this=this@entry=0x965ee20, entry=entry@entry=0xf57849d0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4321
#44 0x08608aee in js::jit::Simulator::call (this=0x965ee20, entry=entry@entry=0xf57849d0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4404
#45 0x083c5f8a in EnterBaseline (cx=cx@entry=0x965fae8, data=...) at js/src/jit/BaselineJIT.cpp:122
#46 0x083f8749 in js::jit::EnterBaselineMethod (cx=cx@entry=0x965fae8, state=...) at js/src/jit/BaselineJIT.cpp:154
#47 0x08274440 in js::RunScript (cx=cx@entry=0x965fae8, state=...) at js/src/vm/Interpreter.cpp:438
#48 0x0827cccd in js::ExecuteKernel (cx=cx@entry=0x965fae8, script=script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:654
#49 0x0827d0ae in js::Execute (cx=cx@entry=0x965fae8, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:691
#50 0x08689d6b in ExecuteScript (cx=0x965fae8, obj=..., scriptArg=..., rval=0x0) at js/src/jsapi.cpp:3981
#51 0x08689f4c in JS_ExecuteScript (cx=<optimized out>, cx@entry=0x965fae8, obj=..., obj@entry=..., scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4003
#52 0x0804d1d6 in RunFile (compileOnly=false, file=0x9718e28, filename=0xffffdaa2 "min.js", obj=..., cx=0x965fae8) at js/src/shell/js.cpp:467
#53 Process (cx=cx@entry=0x965fae8, obj_=<optimized out>, filename=0xffffdaa2 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:600
#54 0x080aad93 in ProcessArgs (op=0xffffd770, obj_=<optimized out>, cx=<optimized out>) at js/src/shell/js.cpp:5814
#55 Shell (envp=<optimized out>, op=0xffffd770, cx=<optimized out>) at js/src/shell/js.cpp:6077
#56 main (argc=3, argv=0xffffd914, envp=0xffffd924) at js/src/shell/js.cpp:6417
eax	0x0	0
ebx	0x95f93b0	157258672
ecx	0xf7e4388c	-136038260
edx	0x0	0
esi	0xffffa468	-23448
edi	0x96ca500	158115072
ebp	0xffffa3d8	4294943704
esp	0xffffa260	4294943328
eip	0x82ade05 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+869>
=> 0x82ade05 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+869>:	movl   $0x368,0x0
   0x82ade0f <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+879>:	call   0x804a870 <abort@plt>
The test case is trying to look up the address of the debug mode OSR handler,
which is a continuation fixer used by debug mode OSR. This handler is a
trampoline of sorts, returning to a real return address stashed on the
BaselineFrame. Teach the JitProfilingFrameIterator to read that address.
Attachment #8574321 - Flags: review?(kvijayan)
Oops, used the infallible instead of the fallible version for getting the
DebugModeOSRInfo.
Attachment #8574321 - Attachment is obsolete: true
Attachment #8574321 - Flags: review?(kvijayan)
Attachment #8574323 - Flags: review?(kvijayan)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/70a8168c7d24
user:        Kannan Vijayan
date:        Thu Jan 15 20:11:21 2015 -0500
summary:     Bug 1057082 - 3/7 - Modify jits to use lastProfilingFrame and lastProfilingCallSite fields. r=jandem

This iteration took 265.653 seconds to run.
Attachment #8574323 - Flags: review?(kvijayan) → review+
https://hg.mozilla.org/mozilla-central/rev/88a1963baa28
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in before you can comment on or make changes to this bug.