If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Crash [@ JS::ProfilingFrameIterator::extractStack] or Assertion failure: nativeStartAddr, at jit/JitcodeMap.h

RESOLVED FIXED in Firefox 40

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, 4 keywords)

Trunk
mozilla40
x86_64
Mac OS X
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox40 fixed)

Details

(crash signature)

Attachments

(3 attachments)

(Reporter)

Description

3 years ago
// Randomly chosen test: js/src/jit-test/tests/debug/bug1106164.js
var g = newGlobal();
g.parent = this;
g.eval("new Debugger(parent).onExceptionUnwind = function () { };");
enableSPSProfiling();
// Randomly chosen test: js/src/jit-test/tests/profiler/debugmode-osr-resume-addr.js
enableSingleStepProfiling();
// jsfunfuzz-generated
a()

asserts js debug ARM-simulator shell on m-c changeset 883e17fc475f with --fuzzing-safe --no-threads --ion-eager at Assertion failure: nativeStartAddr, at jit/JitcodeMap.h and crashes js opt ARM-simulator shell at JS::ProfilingFrameIterator::extractStack.

Debug configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build --32 --enable-arm-simulator" -r 883e17fc475f

Opt configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --disable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--disable-debug --enable-more-deterministic --enable-nspr-build --32 --enable-arm-simulator" -r 883e17fc475f

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/88a1963baa28
user:        Shu-yu Guo
date:        Mon Mar 09 18:55:26 2015 -0700
summary:     Bug 1140741 - Teach JitProfilingFrameIterator to read DebugModeOSRInfo. (r=djvj)

Shu-yu, is bug 1140741 a likely regressor?
Flags: needinfo?(shu)
(Reporter)

Comment 1

3 years ago
Created attachment 8588771 [details]
stack

(lldb) bt 5
* thread #1: tid = 0x943c8, 0x00531827 js-dbg-32-dm-nsprBuild-armSim-darwin-883e17fc475f`js::jit::JitcodeGlobalEntry::BaseEntry::init(this=<unavailable>, kind=<unavailable>, code=<unavailable>, nativeStartAddr=<unavailable>, nativeEndAddr=<unavailable>) + 247 at JitcodeMap.h:164, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00531827 js-dbg-32-dm-nsprBuild-armSim-darwin-883e17fc475f`js::jit::JitcodeGlobalEntry::BaseEntry::init(this=<unavailable>, kind=<unavailable>, code=<unavailable>, nativeStartAddr=<unavailable>, nativeEndAddr=<unavailable>) + 247 at JitcodeMap.h:164
    frame #1: 0x00501de4 js-dbg-32-dm-nsprBuild-armSim-darwin-883e17fc475f`js::jit::JitcodeGlobalTable::lookupInternal(void*) [inlined] js::jit::JitcodeGlobalEntry::QueryEntry::init(this=0x0000000f, addr=<unavailable>) + 68 at JitcodeMap.h:489
    frame #2: 0x00501dbe js-dbg-32-dm-nsprBuild-armSim-darwin-883e17fc475f`js::jit::JitcodeGlobalTable::lookupInternal(void*) [inlined] js::jit::JitcodeGlobalEntry::MakeQuery(ptr=<unavailable>) at JitcodeMap.h:562
    frame #3: 0x00501dbe js-dbg-32-dm-nsprBuild-armSim-darwin-883e17fc475f`js::jit::JitcodeGlobalTable::lookupInternal(this=0x01dcd5d0, ptr=0x00000000) + 30 at JitcodeMap.cpp:465
    frame #4: 0x0048b226 js-dbg-32-dm-nsprBuild-armSim-darwin-883e17fc475f`js::jit::JitcodeGlobalTable::lookup(this=<unavailable>, ptr=<unavailable>, result=0xbfffd430, rt=0x01d43000) + 38 at JitcodeMap.cpp:421
(lldb)
(Reporter)

Comment 2

3 years ago
Created attachment 8588772 [details]
stack of opt crash

(lldb) bt 5
* thread #1: tid = 0x9448f, 0x0018048c js-32-dm-nsprBuild-armSim-darwin-883e17fc475f`JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const [inlined] js::jit::JitcodeGlobalEntry::callStackAtAddr(this=0x00000000, this=<unavailable>, rt=<unavailable>, ptr=<unavailable>, maxResults=<unavailable>) const at JitcodeMap.h:742, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0018048c js-32-dm-nsprBuild-armSim-darwin-883e17fc475f`JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const [inlined] js::jit::JitcodeGlobalEntry::callStackAtAddr(this=0x00000000, this=<unavailable>, rt=<unavailable>, ptr=<unavailable>, maxResults=<unavailable>) const at JitcodeMap.h:742
    frame #1: 0x0018048c js-32-dm-nsprBuild-armSim-darwin-883e17fc475f`JS::ProfilingFrameIterator::extractStack(this=<unavailable>, frames=<unavailable>, offset=<unavailable>, end=<unavailable>) const + 588 at Stack.cpp:1924
    frame #2: 0x00010c48 js-32-dm-nsprBuild-armSim-darwin-883e17fc475f`SingleStepCallback(arg=<unavailable>, sim=<unavailable>, pc=<unavailable>) + 280 at js.cpp:4156
    frame #3: 0x00450e94 js-32-dm-nsprBuild-armSim-darwin-883e17fc475f`void js::jit::Simulator::execute<false>(this=0x01772000) + 52 at Simulator-arm.cpp:4218
    frame #4: 0x003fed47 js-32-dm-nsprBuild-armSim-darwin-883e17fc475f`js::jit::Simulator::call(unsigned char*, int, ...) [inlined] js::jit::Simulator::callInternal(entry=<unavailable>) + 213 at Simulator-arm.cpp:4321
(lldb)

Comment 3

3 years ago
Created attachment 8588845 [details] [diff] [review]
Patch a valid return address for debug mode OSR from exception handler when profiling is enabled.

I'm not personally a fan of this fix, but I think it's the best we can
realistically do. The issue here is that unlike the rest of the engine,
JitProfilingFrameIterator can't use the override pc right now.

With delayed symbolication, where we save sampled native code addrs for
symbolication later, we actually need to save a real code pointer. To teach
JitProfilingFrameIterator and nsProfiler how to deal with override pcs as well
as native addresses isn't worth it for just this corner case.

Let me know what you think.
Attachment #8588845 - Flags: review?(jdemooij)

Updated

3 years ago
Flags: needinfo?(shu)
Comment on attachment 8588845 [details] [diff] [review]
Patch a valid return address for debug mode OSR from exception handler when profiling is enabled.

Review of attachment 8588845 [details] [diff] [review]:
-----------------------------------------------------------------

Hm yes this seems simpler than the alternatives.
Attachment #8588845 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/5e0f94962830
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox40: affected → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.