Closed Bug 1199952 Opened 9 years ago Closed 9 years ago

Crash [@ js::TypeSet::GetValueType] with Debugger

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox43 --- affected
firefox44 --- fixed

People

(Reporter: decoder, Assigned: jandem)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:bisectfix])

Crash Data

Attachments

(1 file)

Patch
4.36 KB, patch
nbp
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 7db14bebae91 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks --ion-eager):

var g = newGlobal();
g.parent = this;
g.eval(`
  var dbg = new Debugger();
  var parentw = dbg.addDebuggee(parent);
  dbg.onIonCompilation = function (graph) {};
`);
gczeal(7,1);
var findNearestDateBefore = function(start, predicate) {
    var current = start;
    var month = 1000 * 60 * 60 * 24 * 30;
    for (var step = month; step > 0; step = Math.floor(step / 3)) {
        !predicate(current);
        current = new Date(current.getTime() + step);
    }
};
var juneDate = new Date(2000, 5, 20, 0, 0, 0, 0);
var decemberDate = new Date(2000, 11, 20, 0, 0, 0, 0);
var juneOffset = juneDate.getTimezoneOffset();
var decemberOffset = decemberDate.getTimezoneOffset();
var isSouthernHemisphere = (juneOffset > decemberOffset);
var winterTime = isSouthernHemisphere ? juneDate : decemberDate;
var dstStart = findNearestDateBefore(winterTime, function (date) {})();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::TypeSet::GetValueType (val=...) at js/src/vm/ObjectGroup.h:200
#0  js::TypeSet::GetValueType (val=...) at js/src/vm/ObjectGroup.h:200
#1  0x00000000008f3eef in SetArgument (value=..., arg=0, script=0x7ffff7e62300, cx=0x7ffff6907000) at js/src/vm/TypeInference-inl.h:635
#2  js::jit::DoTypeMonitorFallback (cx=0x7ffff6907000, frame=<optimized out>, stub=0x7ffff69ccc88, value=..., res=...) at js/src/jit/BaselineIC.cpp:522
#3  0x00007ffff7feff2b in ?? ()
[...]
#15 0x0000000000000000 in ?? ()
rax	0x7ffff4800781	140737295419265
rbx	0x7ffff6907000	140737330049024
rcx	0xfffbffffffffffff	-1125899906842625
rdx	0xfffc2b2b2b2b2b2b	-1078435499005141
rsi	0x7ffff69ccc88	140737330859144
rdi	0x7fffffffc090	140737488339088
rbp	0x7fffffffbf40	140737488338752
rsp	0x7fffffffbf40	140737488338752
r8	0x7fffffffc058	140737488339032
r9	0x7ffff6930170	140737330217328
r10	0x7fffffffc080	140737488339072
r11	0xfff9000000000000	-1970324836974592
r12	0x7fffffffc090	140737488339088
r13	0x7ffff69ccc88	140737330859144
r14	0x7fffffffc058	140737488339032
r15	0x7fffffffbf80	140737488338816
rip	0x51c5cc <js::TypeSet::GetValueType(JS::Value const&)+124>
=> 0x51c5cc <js::TypeSet::GetValueType(JS::Value const&)+124>:	mov    0x18(%rdx),%ecx
   0x51c5cf <js::TypeSet::GetValueType(JS::Value const&)+127>:	test   $0x2,%cl


Not marking s-s as it seems to require the debugger.
Flags: needinfo?(nicolas.b.pierron)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150816173138" and the hash "6fc3ec170fb24e211b579428edb255c67d1d363a".
The "bad" changeset has the timestamp "20150817145539" and the hash "bd4464cd4be8c21f898058a7feeec7fcbdcaf8b4".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=6fc3ec170fb24e211b579428edb255c67d1d363a&tochange=bd4464cd4be8c21f898058a7feeec7fcbdcaf8b4
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 6ca9518d7cf9).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
I think this is an intermittent issue. I filed bug 1204726 with a test that also uses "dbg.onIonCompilation" so it might be related.
For me it's not intermittent, so I bisected this too:

The first bad revision is:
changeset:   257986:3bbd0d929128
user:        Hannes Verschore <hv1989@gmail.com>
date:        Fri Aug 14 17:57:57 2015 +0200
summary:     Bug 1178834: IonMonkey - Always lazy link code, r=jandem

Will take a closer look.
Attached patch PatchSplinter Review 
MarkThisAndArguments has to mark formal arguments if we have a lazy link frame.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(nicolas.b.pierron)
Attachment #8663775 - Flags: review?(nicolas.b.pierron)
Comment on attachment 8663775 [details] [diff] [review]
Patch

Review of attachment 8663775 [details] [diff] [review]:
-----------------------------------------------------------------

Nice catch!
Attachment #8663775 - Flags: review?(nicolas.b.pierron) → review+
https://hg.mozilla.org/mozilla-central/rev/e64d983ee34e
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: