If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Crash [@ js::ArgumentsObject::arg] with Debugger

RESOLVED FIXED in Firefox 43

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: shu)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
mozilla43
x86_64
Linux
crash, regression, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox42 affected, firefox43 fixed)

Details

(Whiteboard: [jsbugmon:update,bisect], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision f3b757156f69 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --baseline-eager):

setJitCompilerOption('ion.warmup.trigger', 2);
setJitCompilerOption('offthread-compilation.enable', 0);
var g = newGlobal();
var dbg2 = new Debugger;
g.toggle = function toggle(x, d) {
  if (d) {
    dbg2.addDebuggee(g);
    dbg2.getNewestFrame().environment.getVariable("x");
  }
};
g.eval("" + function f(x, d) { toggle(++arguments, d); });
g.eval("(" + function test() {
  for (var i = 0; i < 30; i++)
    f(42, false);
  f(42, true);
} + ")();");



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::ArgumentsObject::arg (this=0x7ffff3401330, i=0) at js/src/vm/ArgumentsObject.h:234
#0  js::ArgumentsObject::arg (this=0x7ffff3401330, i=0) at js/src/vm/ArgumentsObject.h:234
#1  0x000000000073ae0f in (anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess (cx=cx@entry=0x7ffff6907000, debugScope=..., scope=..., scope@entry=..., id=..., id@entry=..., action=action@entry=(anonymous namespace)::DebugScopeProxy::GET, vp=..., vp@entry=..., accessResult=accessResult@entry=0x7fffffff8530, this=0x1ad7020 <(anonymous namespace)::DebugScopeProxy::singleton>) at js/src/vm/ScopeObject.cpp:1301
#2  0x000000000073c3a9 in getMaybeSentinelValue (this=0x1ad7020 <(anonymous namespace)::DebugScopeProxy::singleton>, vp=..., id=..., debugScope=..., cx=0x7ffff6907000) at js/src/vm/ScopeObject.cpp:1599
#3  js::DebugScopeObject::getMaybeSentinelValue (this=<optimized out>, cx=cx@entry=0x7ffff6907000, id=..., id@entry=..., vp=..., vp@entry=...) at js/src/vm/ScopeObject.cpp:1801
#4  0x00000000006a0897 in DebuggerEnv_getVariable (cx=0x7ffff6907000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:7884
#5  0x00000000006cf7f2 in js::CallJSNative (cx=0x7ffff6907000, native=0x6a0640 <DebuggerEnv_getVariable(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#6  0x00000000006bf982 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:811
#7  0x00000000006c13f9 in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffff8df8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:866
#8  0x00000000008eabda in js::jit::DoCallFallback (cx=0x7ffff6907000, frame=0x7fffffff8e38, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffff8de8, res=...) at js/src/jit/BaselineIC.cpp:10054
#9  0x00007ffff7feebdf in ?? ()
[...]
#31 0x0000000000000000 in ?? ()
rax	0xfffc2b2b2b2b2b2b	-1078435499005141
rbx	0x7ffff6907000	140737330049024
rcx	0xffffffff	4294967295
rdx	0x40	64
rsi	0x0	0
rdi	0x7ffff3401330	140737274450736
rbp	0x7fffffff8400	140737488323584
rsp	0x7fffffff8400	140737488323584
r8	0x1b	27
r9	0xda8c1646	3666613830
r10	0x7ffff69a9000	140737330712576
r11	0xfff9000000000000	-1970324836974592
r12	0x0	0
r13	0x7fffffff8490	140737488323728
r14	0x7fffffff8440	140737488323648
r15	0x1	1
rip	0x6cf248 <js::ArgumentsObject::arg(unsigned int) const+8>
=> 0x6cf248 <js::ArgumentsObject::arg(unsigned int) const+8>:	cmpl   $0xfffffff,0x10(%rax)
   0x6cf24f <js::ArgumentsObject::arg(unsigned int) const+15>:	jbe    0x6cf28f <js::ArgumentsObject::arg(unsigned int) const+79>


Not s-s because this is debugger related.
(Assignee)

Comment 1

2 years ago
Created attachment 8644071 [details] [diff] [review]
Trace the arguments object in RematerializedFrames.
Attachment #8644071 - Flags: review?(jdemooij)
(Assignee)

Updated

2 years ago
Assignee: nobody → shu
Status: NEW → ASSIGNED
Attachment #8644071 - Flags: review?(jdemooij) → review+
(Assignee)

Updated

2 years ago
Duplicate of this bug: 1193362

Comment 3

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/718d9ac7f697
https://hg.mozilla.org/mozilla-central/rev/718d9ac7f697
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox43: --- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in before you can comment on or make changes to this bug.