Closed Bug 1161351 Opened 9 years ago Closed 9 years ago

Crash [@ callStackAtAddr] or Assertion failure: stubFrame->prevType() == JitFrame_BaselineJS || stubFrame->prevType() == JitFrame_IonJS, at jit/JitFrames.cpp:2958

Categories

(Core :: JavaScript Engine, defect)

ARM
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla40
Tracking Status
firefox40 --- fixed

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision dc5f85980a82 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-arm-simulator --disable-debug, run with --fuzzing-safe --baseline-eager):

function x() { n; }
function f() {
  try  { x(); } catch(ex) {}
}
var g = newGlobal();
g.parent = this;
g.eval("new Debugger(parent).onExceptionUnwind = function () {};");
enableSPSProfiling();
enableSingleStepProfiling();
f();
f();
f();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
callStackAtAddr (maxResults=64, results=0xffffa310, ptr=0xf5effdfc, rt=0xf7a24000, this=0xffffa2e0) at js/src/jit/JitcodeMap.h:744
#0  callStackAtAddr (maxResults=64, results=0xffffa310, ptr=0xf5effdfc, rt=0xf7a24000, this=0xffffa2e0) at js/src/jit/JitcodeMap.h:744
#1  JS::ProfilingFrameIterator::extractStack (this=this@entry=0xffffa498, frames=frames@entry=0xffffa4c0, offset=offset@entry=0, end=end@entry=16) at js/src/vm/Stack.cpp:1925
#2  0x080894ac in SingleStepCallback (arg=<optimized out>, sim=<optimized out>, pc=0x0) at js/src/shell/js.cpp:4181
#3  0x0846d31b in execute<false> (this=0xf7a6c000) at js/src/jit/arm/Simulator-arm.cpp:4231
#4  js::jit::Simulator::callInternal (this=this@entry=0xf7a6c000, entry=entry@entry=0xf7fc8828 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4334
#5  0x0846d4a6 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8828 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4417
#6  0x082cba8a in EnterBaseline (cx=cx@entry=0xf7a6d0e0, data=...) at js/src/jit/BaselineJIT.cpp:124
#7  0x082f9519 in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/jit/BaselineJIT.cpp:156
#8  0x081c81ad in js::RunScript (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/vm/Interpreter.cpp:667
#9  0x081c85c6 in js::Invoke (cx=cx@entry=0xf7a6d0e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:746
#10 0x081c906b in js::Invoke (cx=cx@entry=0xf7a6d0e0, thisv=..., fval=..., argc=argc@entry=2, argv=argv@entry=0xffffaef8, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:783
#11 0x085b4977 in js::Debugger::fireExceptionUnwind (this=this@entry=0xf7a03d30, cx=cx@entry=0xf7a6d0e0, vp=vp@entry=...) at js/src/vm/Debugger.cpp:1220
#12 0x085b549a in js::Debugger::dispatchHook (cx=cx@entry=0xf7a6d0e0, vp=vp@entry=..., which=which@entry=js::Debugger::OnExceptionUnwind, payload=...) at js/src/vm/Debugger.cpp:1335
#13 0x085b56c3 in js::Debugger::slowPathOnExceptionUnwind (cx=0xf7a6d0e0, frame=...) at js/src/vm/Debugger.cpp:738
#14 0x08382a0d in onExceptionUnwind (frame=..., cx=<optimized out>) at js/src/vm/Debugger-inl.h:58
#15 HandleExceptionBaseline (pc=0xf7aa3754 ":", rfe=<optimized out>, frame=..., cx=<optimized out>) at js/src/jit/JitFrames.cpp:691
#16 js::jit::HandleException (rfe=0xf5effd1c) at js/src/jit/JitFrames.cpp:868
#17 0x0846a6b9 in js::jit::Simulator::softwareInterrupt (this=0xf7a6c000, instr=0xf7a02324) at js/src/jit/arm/Simulator-arm.cpp:2133
#18 0x0846a86d in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02324) at js/src/jit/arm/Simulator-arm.cpp:3272
#19 0x0846abac in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02324) at js/src/jit/arm/Simulator-arm.cpp:4191
#20 0x0846d294 in execute<false> (this=0xf7a6c000) at js/src/jit/arm/Simulator-arm.cpp:4246
#21 js::jit::Simulator::callInternal (this=this@entry=0xf7a6c000, entry=entry@entry=0xf7fc8828 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4334
#22 0x0846d4a6 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8828 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4417
#23 0x082cba8a in EnterBaseline (cx=cx@entry=0xf7a6d0e0, data=...) at js/src/jit/BaselineJIT.cpp:124
#24 0x082f9519 in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/jit/BaselineJIT.cpp:156
#25 0x081c81ad in js::RunScript (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/vm/Interpreter.cpp:667
#26 0x081c85c6 in js::Invoke (cx=cx@entry=0xf7a6d0e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:746
#27 0x081c906b in js::Invoke (cx=cx@entry=0xf7a6d0e0, thisv=..., fval=..., argc=argc@entry=0, argv=0xf5effee0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:783
#28 0x08339816 in js::jit::DoCallFallback (cx=0xf7a6d0e0, frame=frame@entry=0xf5efff00, stub_=stub_@entry=0xf7a21790, argc=argc@entry=0, vp=vp@entry=0xf5effed0, res=res@entry=...) at js/src/jit/BaselineIC.cpp:10212
#29 0x0846a6a9 in js::jit::Simulator::softwareInterrupt (this=0xf7a6c000, instr=0xf7a02f34) at js/src/jit/arm/Simulator-arm.cpp:2173
#30 0x0846a86d in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02f34) at js/src/jit/arm/Simulator-arm.cpp:3272
#31 0x0846abac in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02f34) at js/src/jit/arm/Simulator-arm.cpp:4191
#32 0x0846d294 in execute<false> (this=0xf7a6c000) at js/src/jit/arm/Simulator-arm.cpp:4246
#33 js::jit::Simulator::callInternal (this=this@entry=0xf7a6c000, entry=entry@entry=0xf7fc8828 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4334
#34 0x0846d4a6 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8828 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4417
#35 0x082cba8a in EnterBaseline (cx=cx@entry=0xf7a6d0e0, data=...) at js/src/jit/BaselineJIT.cpp:124
#36 0x082f9519 in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/jit/BaselineJIT.cpp:156
#37 0x081c81ad in js::RunScript (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/vm/Interpreter.cpp:667
#38 0x081d0667 in js::ExecuteKernel (cx=<optimized out>, cx@entry=0xf7a6d0e0, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=<optimized out>, type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=<optimized out>, result@entry=0x0) at js/src/vm/Interpreter.cpp:902
#39 0x081d0836 in js::Execute (cx=cx@entry=0xf7a6d0e0, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:942
#40 0x084f125c in ExecuteScript (cx=cx@entry=0xf7a6d0e0, obj=..., scriptArg=scriptArg@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4159
#41 0x084f1381 in JS_ExecuteScript (cx=cx@entry=0xf7a6d0e0, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4181
#42 0x080668e4 in RunFile (compileOnly=false, file=0xf7af2720, filename=<optimized out>, cx=0xf7a6d0e0) at js/src/shell/js.cpp:467
#43 Process (cx=cx@entry=0xf7a6d0e0, filename=<optimized out>, forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:597
#44 0x08075237 in ProcessArgs (op=0xffffcc10, cx=<optimized out>) at js/src/shell/js.cpp:5798
#45 Shell (envp=0xffffcd58, op=0xffffcc10, cx=<optimized out>) at js/src/shell/js.cpp:6064
#46 main (argc=4, argv=0xffffcd44, envp=0xffffcd58) at js/src/shell/js.cpp:6385
eax	0xf7a24000	-140361728
ebx	0x9347bec	154434540
ecx	0xf5effdfc	-168821252
edx	0x0	0
esi	0xf7a6c000	-140066816
edi	0xffffa498	-23400
ebp	0xffffa428	4294943784
esp	0xffffa290	4294943376
eip	0x81fa419 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+249>
=> 0x81fa419 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+249>:	movl   $0x2e8,0x0
   0x81fa423 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+259>:	call   0x808c070 <abort()>
Comment on attachment 8601309 [details] [diff] [review]
Fix unwound exit frame sizes in JitProfilingFrameIterator.

Review of attachment 8601309 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/JitFrames-inl.h
@@ +48,5 @@
>      return current->prevType();
>  }
>  
>  inline bool
> +IsUnwoundFrame(FrameType type)

Nice !

::: js/src/jit/JitFrames.cpp
@@ +2939,5 @@
>  }
>  
> +template <typename FrameType, typename ReturnType=CommonFrameLayout*>
> +inline ReturnType
> +GetPreviousRawFrame(ExitFrameLayout* frame)

Why are we using template for the argument, and not only overloading?
Also this solution sounds ambiguous, you should probably prefer the following notation

template <typename ReturnType = CommonFrameLayout*>
static inline ReturnType
GetPreviousRawFrame<ExitFrameLayout, ReturnType>(ExitFrameLayout* frame)

which only do a template specialization, and does not use any overloading at all.

@@ +2948,5 @@
> +    size_t frameSize = IsUnwoundFrame(frame->prevType())
> +                       ? JitFrameLayout::Size()
> +                       : ExitFrameLayout::Size();
> +    size_t prevSize = frame->prevFrameLocalSize() + frameSize;
> +    return (ReturnType) (((uint8_t*) frame) + prevSize);

nit: use a C++-style cast instead.  ReturnType(…)

@@ +2968,3 @@
>          returnAddressToFp_ = frame->returnAddress();
>          fp_ = GetPreviousRawFrame<ExitFrameLayout, uint8_t*>(frame);
>          type_ = JitFrame_BaselineJS;

Wow! Apparently this is valid today, but this was never intended.
Attachment #8601309 - Flags: review?(jdemooij) → review+
Flags: needinfo?(shu)
https://hg.mozilla.org/mozilla-central/rev/cade54db387c
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.