Closed
Bug 1191578
Opened 9 years ago
Closed 9 years ago
Crash [@ js::jit::Simulator::decodeType01]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox42 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])
Crash Data
The following testcase crashes on mozilla-central revision 5b54831761b1 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --disable-debug, run with --fuzzing-safe --thread-count=2 --arm-asm-nop-fill=1):
enableTrackAllocations();
enableSPSProfiling();
test();
function test() {
try {
test();
} catch (e) {}
}
Backtrace:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 js::jit::Simulator::decodeType01 (this=this@entry=0xf727d000, instr=instr@entry=0xf745d09c) at js/src/jit/arm/Simulator-arm.cpp:2735
#1 0x085040cc in js::jit::Simulator::instructionDecode (this=this@entry=0xf727d000, instr=instr@entry=0xf745d09c) at js/src/jit/arm/Simulator-arm.cpp:4171
#2 0x08506864 in execute<false> (this=0xf727d000) at js/src/jit/arm/Simulator-arm.cpp:4244
#3 js::jit::Simulator::callInternal (this=this@entry=0xf727d000, entry=entry@entry=0xf745dee8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4332
#4 0x08506a76 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf745dee8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4415
#5 0x082f5501 in EnterBaseline (cx=cx@entry=0xf727e040, data=...) at js/src/jit/BaselineJIT.cpp:124
#6 0x083271b9 in js::jit::EnterBaselineMethod (cx=cx@entry=0xf727e040, state=...) at js/src/jit/BaselineJIT.cpp:156
#7 0x081f24ac in js::RunScript (cx=cx@entry=0xf727e040, state=...) at js/src/vm/Interpreter.cpp:742
#8 0x081f2ee6 in js::Invoke (cx=cx@entry=0xf727e040, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:829
#9 0x081f3a4c in js::Invoke (cx=cx@entry=0xf727e040, thisv=..., fval=..., argc=argc@entry=0, argv=0xf53ffd28, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:866
#10 0x08371258 in js::jit::DoCallFallback (cx=0xf727e040, frame=frame@entry=0xf53ffd50, stub_=stub_@entry=0xf4e27188, argc=argc@entry=0, vp=vp@entry=0xf53ffd18, res=res@entry=...) at js/src/jit/BaselineIC.cpp:10028
#11 0x08503c01 in js::jit::Simulator::softwareInterrupt (this=0xf727d000, instr=0xf7202ea4) at js/src/jit/arm/Simulator-arm.cpp:2171
#12 0x08503dbd in js::jit::Simulator::decodeType7 (this=this@entry=0xf727d000, instr=instr@entry=0xf7202ea4) at js/src/jit/arm/Simulator-arm.cpp:3270
#13 0x085040fc in js::jit::Simulator::instructionDecode (this=this@entry=0xf727d000, instr=instr@entry=0xf7202ea4) at js/src/jit/arm/Simulator-arm.cpp:4189
#14 0x08506864 in execute<false> (this=0xf727d000) at js/src/jit/arm/Simulator-arm.cpp:4244
#15 js::jit::Simulator::callInternal (this=this@entry=0xf727d000, entry=entry@entry=0xf745dee8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4332
#16 0x08506a76 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf745dee8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4415
#17 0x082f5501 in EnterBaseline (cx=cx@entry=0xf727e040, data=...) at js/src/jit/BaselineJIT.cpp:124
#18 0x083271b9 in js::jit::EnterBaselineMethod (cx=0xf727e040, state=...) at js/src/jit/BaselineJIT.cpp:156
#19 0x081ed6ab in Interpret (cx=0x36, cx@entry=0xf727e040, state=...) at js/src/vm/Interpreter.cpp:3118
#20 0x081f22de in js::RunScript (cx=cx@entry=0xf727e040, state=...) at js/src/vm/Interpreter.cpp:752
#21 0x081fa24e in js::ExecuteKernel (cx=<optimized out>, cx@entry=0xf727e040, script=script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, type@entry=js::EXECUTE_DIRECT_EVAL, evalInFrame=evalInFrame@entry=..., result=<optimized out>) at js/src/vm/Interpreter.cpp:993
#22 0x0815bcdb in EvalKernel (cx=cx@entry=0xf727e040, args=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., scopeobj=..., scopeobj@entry=..., pc=0xf723848b "{") at js/src/builtin/Eval.cpp:356
#23 0x0815c7a9 in js::DirectEval (cx=cx@entry=0xf727e040, args=...) at js/src/builtin/Eval.cpp:481
#24 0x08371671 in js::jit::DoCallFallback (cx=0xf727e040, frame=frame@entry=0xf53ffe88, stub_=stub_@entry=0xf721fd70, argc=argc@entry=1, vp=vp@entry=0xf53ffe48, res=res@entry=...) at js/src/jit/BaselineIC.cpp:10019
#25 0x08503c01 in js::jit::Simulator::softwareInterrupt (this=0xf727d000, instr=0xf7202ea4) at js/src/jit/arm/Simulator-arm.cpp:2171
#26 0x08503dbd in js::jit::Simulator::decodeType7 (this=this@entry=0xf727d000, instr=instr@entry=0xf7202ea4) at js/src/jit/arm/Simulator-arm.cpp:3270
#27 0x085040fc in js::jit::Simulator::instructionDecode (this=this@entry=0xf727d000, instr=instr@entry=0xf7202ea4) at js/src/jit/arm/Simulator-arm.cpp:4189
#28 0x08506864 in execute<false> (this=0xf727d000) at js/src/jit/arm/Simulator-arm.cpp:4244
#29 js::jit::Simulator::callInternal (this=this@entry=0xf727d000, entry=entry@entry=0xf745dee8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4332
#30 0x08506a76 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf745dee8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4415
#31 0x082f5501 in EnterBaseline (cx=cx@entry=0xf727e040, data=...) at js/src/jit/BaselineJIT.cpp:124
#32 0x08350189 in js::jit::EnterBaselineAtBranch (cx=0xf727e040, fp=0xf50b5028, pc=0xf72381c1 "\343\201C\b\377\377\377Z\231\230&\210\004\235)\210\bʘ5\210\t\230\001\220א\210\004\226\210\004\226\210\004\226\210\004\225\210\bʐ\210\bʐ\210\bϘ\002\234\v\210\003\230\016Ј\026\220Ј\027\220Ј \220Ј\027\220Ј?\220Ј\024\220Ј\030\230\027Ј,\230\031\210\004\314\b\225\210\002Έ\020\230&\210\004͈\020\230((\200") at js/src/jit/BaselineJIT.cpp:228
#33 0x081f1dff in Interpret (cx=0x36, cx@entry=0xf727e040, state=...) at js/src/vm/Interpreter.cpp:2121
#34 0x081f22de in js::RunScript (cx=cx@entry=0xf727e040, state=...) at js/src/vm/Interpreter.cpp:752
#35 0x081fa24e in js::ExecuteKernel (cx=<optimized out>, cx@entry=0xf727e040, script=script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=<optimized out>, result@entry=0x0) at js/src/vm/Interpreter.cpp:993
#36 0x081fa42a in js::Execute (cx=cx@entry=0xf727e040, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:1027
#37 0x0851a404 in ExecuteScript (cx=cx@entry=0xf727e040, scope=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4370
#38 0x0851a501 in JS_ExecuteScript (cx=cx@entry=0xf727e040, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4401
#39 0x08068bd0 in RunFile (compileOnly=false, file=0xf727e880, filename=<optimized out>, cx=0xf727e040) at js/src/shell/js.cpp:458
#40 Process (cx=cx@entry=0xf727e040, filename=<optimized out>, forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:576
#41 0x080790a5 in ProcessArgs (op=0xff866d00, cx=<optimized out>) at js/src/shell/js.cpp:5749
#42 Shell (envp=0xff866e50, op=0xff866d00, cx=<optimized out>) at js/src/shell/js.cpp:6040
#43 main (argc=6, argv=0xff866e34, envp=0xff866e50) at js/src/shell/js.cpp:6384
eax 0x36 54
ebx 0x94053dc 155210716
ecx 0x0 0
edx 0x36 54
esi 0xf7617d7c -144605828
edi 0x0 0
ebp 0x8 8
esp 0xff8643e0 4286989280
eip 0x85063b5 <js::jit::Simulator::decodeType01(js::jit::SimInstruction*)+3925>
=> 0x85063b5 <js::jit::Simulator::decodeType01(js::jit::SimInstruction*)+3925>: movl $0xaaf,0x0
0x85063bf <js::jit::Simulator::decodeType01(js::jit::SimInstruction*)+3935>: call 0x8091750 <abort()>
Marking as fuzzblocker, this is creating tons of reports.
|
||
Comment 1•9 years ago
|
||
Not able to reproduce on current (2015-09-17) mozilla-inbound. Christian, are you still seeing this?
Flags: needinfo?(choller)
|
Reporter | |
Comment 2•9 years ago
|
||
This suddenly stopped reproducing on Fri, 28 Aug 2015 00:03:54 +0000, so I assume it has been fixed by another bug. Marking as FIXED.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(choller)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•