Closed
Bug 1161351
Opened 9 years ago
Closed 9 years ago
Crash [@ callStackAtAddr] or Assertion failure: stubFrame->prevType() == JitFrame_BaselineJS || stubFrame->prevType() == JitFrame_IonJS, at jit/JitFrames.cpp:2958
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla40
Tracking | Status | |
---|---|---|
firefox40 | --- | fixed |
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Crash Data
Attachments
(1 file)
4.02 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision dc5f85980a82 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-arm-simulator --disable-debug, run with --fuzzing-safe --baseline-eager): function x() { n; } function f() { try { x(); } catch(ex) {} } var g = newGlobal(); g.parent = this; g.eval("new Debugger(parent).onExceptionUnwind = function () {};"); enableSPSProfiling(); enableSingleStepProfiling(); f(); f(); f(); Backtrace: Program received signal SIGSEGV, Segmentation fault. callStackAtAddr (maxResults=64, results=0xffffa310, ptr=0xf5effdfc, rt=0xf7a24000, this=0xffffa2e0) at js/src/jit/JitcodeMap.h:744 #0 callStackAtAddr (maxResults=64, results=0xffffa310, ptr=0xf5effdfc, rt=0xf7a24000, this=0xffffa2e0) at js/src/jit/JitcodeMap.h:744 #1 JS::ProfilingFrameIterator::extractStack (this=this@entry=0xffffa498, frames=frames@entry=0xffffa4c0, offset=offset@entry=0, end=end@entry=16) at js/src/vm/Stack.cpp:1925 #2 0x080894ac in SingleStepCallback (arg=<optimized out>, sim=<optimized out>, pc=0x0) at js/src/shell/js.cpp:4181 #3 0x0846d31b in execute<false> (this=0xf7a6c000) at js/src/jit/arm/Simulator-arm.cpp:4231 #4 js::jit::Simulator::callInternal (this=this@entry=0xf7a6c000, entry=entry@entry=0xf7fc8828 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4334 #5 0x0846d4a6 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8828 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4417 #6 0x082cba8a in EnterBaseline (cx=cx@entry=0xf7a6d0e0, data=...) at js/src/jit/BaselineJIT.cpp:124 #7 0x082f9519 in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/jit/BaselineJIT.cpp:156 #8 0x081c81ad in js::RunScript (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/vm/Interpreter.cpp:667 #9 0x081c85c6 in js::Invoke (cx=cx@entry=0xf7a6d0e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:746 #10 0x081c906b in js::Invoke (cx=cx@entry=0xf7a6d0e0, thisv=..., fval=..., argc=argc@entry=2, argv=argv@entry=0xffffaef8, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:783 #11 0x085b4977 in js::Debugger::fireExceptionUnwind (this=this@entry=0xf7a03d30, cx=cx@entry=0xf7a6d0e0, vp=vp@entry=...) at js/src/vm/Debugger.cpp:1220 #12 0x085b549a in js::Debugger::dispatchHook (cx=cx@entry=0xf7a6d0e0, vp=vp@entry=..., which=which@entry=js::Debugger::OnExceptionUnwind, payload=...) at js/src/vm/Debugger.cpp:1335 #13 0x085b56c3 in js::Debugger::slowPathOnExceptionUnwind (cx=0xf7a6d0e0, frame=...) at js/src/vm/Debugger.cpp:738 #14 0x08382a0d in onExceptionUnwind (frame=..., cx=<optimized out>) at js/src/vm/Debugger-inl.h:58 #15 HandleExceptionBaseline (pc=0xf7aa3754 ":", rfe=<optimized out>, frame=..., cx=<optimized out>) at js/src/jit/JitFrames.cpp:691 #16 js::jit::HandleException (rfe=0xf5effd1c) at js/src/jit/JitFrames.cpp:868 #17 0x0846a6b9 in js::jit::Simulator::softwareInterrupt (this=0xf7a6c000, instr=0xf7a02324) at js/src/jit/arm/Simulator-arm.cpp:2133 #18 0x0846a86d in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02324) at js/src/jit/arm/Simulator-arm.cpp:3272 #19 0x0846abac in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02324) at js/src/jit/arm/Simulator-arm.cpp:4191 #20 0x0846d294 in execute<false> (this=0xf7a6c000) at js/src/jit/arm/Simulator-arm.cpp:4246 #21 js::jit::Simulator::callInternal (this=this@entry=0xf7a6c000, entry=entry@entry=0xf7fc8828 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4334 #22 0x0846d4a6 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8828 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4417 #23 0x082cba8a in EnterBaseline (cx=cx@entry=0xf7a6d0e0, data=...) at js/src/jit/BaselineJIT.cpp:124 #24 0x082f9519 in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/jit/BaselineJIT.cpp:156 #25 0x081c81ad in js::RunScript (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/vm/Interpreter.cpp:667 #26 0x081c85c6 in js::Invoke (cx=cx@entry=0xf7a6d0e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:746 #27 0x081c906b in js::Invoke (cx=cx@entry=0xf7a6d0e0, thisv=..., fval=..., argc=argc@entry=0, argv=0xf5effee0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:783 #28 0x08339816 in js::jit::DoCallFallback (cx=0xf7a6d0e0, frame=frame@entry=0xf5efff00, stub_=stub_@entry=0xf7a21790, argc=argc@entry=0, vp=vp@entry=0xf5effed0, res=res@entry=...) at js/src/jit/BaselineIC.cpp:10212 #29 0x0846a6a9 in js::jit::Simulator::softwareInterrupt (this=0xf7a6c000, instr=0xf7a02f34) at js/src/jit/arm/Simulator-arm.cpp:2173 #30 0x0846a86d in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02f34) at js/src/jit/arm/Simulator-arm.cpp:3272 #31 0x0846abac in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a6c000, instr=instr@entry=0xf7a02f34) at js/src/jit/arm/Simulator-arm.cpp:4191 #32 0x0846d294 in execute<false> (this=0xf7a6c000) at js/src/jit/arm/Simulator-arm.cpp:4246 #33 js::jit::Simulator::callInternal (this=this@entry=0xf7a6c000, entry=entry@entry=0xf7fc8828 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4334 #34 0x0846d4a6 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8828 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4417 #35 0x082cba8a in EnterBaseline (cx=cx@entry=0xf7a6d0e0, data=...) at js/src/jit/BaselineJIT.cpp:124 #36 0x082f9519 in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/jit/BaselineJIT.cpp:156 #37 0x081c81ad in js::RunScript (cx=cx@entry=0xf7a6d0e0, state=...) at js/src/vm/Interpreter.cpp:667 #38 0x081d0667 in js::ExecuteKernel (cx=<optimized out>, cx@entry=0xf7a6d0e0, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=<optimized out>, type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=<optimized out>, result@entry=0x0) at js/src/vm/Interpreter.cpp:902 #39 0x081d0836 in js::Execute (cx=cx@entry=0xf7a6d0e0, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:942 #40 0x084f125c in ExecuteScript (cx=cx@entry=0xf7a6d0e0, obj=..., scriptArg=scriptArg@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4159 #41 0x084f1381 in JS_ExecuteScript (cx=cx@entry=0xf7a6d0e0, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4181 #42 0x080668e4 in RunFile (compileOnly=false, file=0xf7af2720, filename=<optimized out>, cx=0xf7a6d0e0) at js/src/shell/js.cpp:467 #43 Process (cx=cx@entry=0xf7a6d0e0, filename=<optimized out>, forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:597 #44 0x08075237 in ProcessArgs (op=0xffffcc10, cx=<optimized out>) at js/src/shell/js.cpp:5798 #45 Shell (envp=0xffffcd58, op=0xffffcc10, cx=<optimized out>) at js/src/shell/js.cpp:6064 #46 main (argc=4, argv=0xffffcd44, envp=0xffffcd58) at js/src/shell/js.cpp:6385 eax 0xf7a24000 -140361728 ebx 0x9347bec 154434540 ecx 0xf5effdfc -168821252 edx 0x0 0 esi 0xf7a6c000 -140066816 edi 0xffffa498 -23400 ebp 0xffffa428 4294943784 esp 0xffffa290 4294943376 eip 0x81fa419 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+249> => 0x81fa419 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+249>: movl $0x2e8,0x0 0x81fa423 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+259>: call 0x808c070 <abort()>
Comment 1•9 years ago
|
||
Attachment #8601309 -
Flags: review?(jdemooij)
Comment 2•9 years ago
|
||
Comment on attachment 8601309 [details] [diff] [review] Fix unwound exit frame sizes in JitProfilingFrameIterator. Review of attachment 8601309 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/JitFrames-inl.h @@ +48,5 @@ > return current->prevType(); > } > > inline bool > +IsUnwoundFrame(FrameType type) Nice ! ::: js/src/jit/JitFrames.cpp @@ +2939,5 @@ > } > > +template <typename FrameType, typename ReturnType=CommonFrameLayout*> > +inline ReturnType > +GetPreviousRawFrame(ExitFrameLayout* frame) Why are we using template for the argument, and not only overloading? Also this solution sounds ambiguous, you should probably prefer the following notation template <typename ReturnType = CommonFrameLayout*> static inline ReturnType GetPreviousRawFrame<ExitFrameLayout, ReturnType>(ExitFrameLayout* frame) which only do a template specialization, and does not use any overloading at all. @@ +2948,5 @@ > + size_t frameSize = IsUnwoundFrame(frame->prevType()) > + ? JitFrameLayout::Size() > + : ExitFrameLayout::Size(); > + size_t prevSize = frame->prevFrameLocalSize() + frameSize; > + return (ReturnType) (((uint8_t*) frame) + prevSize); nit: use a C++-style cast instead. ReturnType(…) @@ +2968,3 @@ > returnAddressToFp_ = frame->returnAddress(); > fp_ = GetPreviousRawFrame<ExitFrameLayout, uint8_t*>(frame); > type_ = JitFrame_BaselineJS; Wow! Apparently this is valid today, but this was never intended.
Attachment #8601309 -
Flags: review?(jdemooij) → review+
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/ea1a2a86fa0a for SM(arm) orange: https://treeherder.mozilla.org/logviewer.html#?job_id=9620746&repo=mozilla-inbound
Flags: needinfo?(shu)
Updated•9 years ago
|
Flags: needinfo?(shu)
https://hg.mozilla.org/mozilla-central/rev/cade54db387c
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in
before you can comment on or make changes to this bug.
Description
•