Closed Bug 1208419 Opened 9 years ago Closed 9 years ago

Crash [@ ??] with Debugger and jump to 0x0

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox44 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:bisectfix])

Crash Data

The following testcase crashes on mozilla-central revision 19b4265d0d56 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager):

var g = newGlobal();
g.parent = this;
g.eval(`
  var dbg = new Debugger();
  var parentw = dbg.addDebuggee(parent);
  dbg.onIonCompilation = function (graph) {
  };
`);
for (var i = 0; i < 1000; ++i)
  loadFile("gczeal(14, 17)");
function loadFile(lfVarx) {
  evaluate(lfVarx); 
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff7ff55e4 in ?? ()
[...]
#13 0xfffc7ffff7e8a6c0 in ?? ()
#14 0x000000000043026c in js::jit::IonCompile (cx=0xfffc7ffff7e766c0, script=<optimized out>, baselineFrame=<optimized out>, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::Optimization_DontCompile) at js/src/jit/Ion.cpp:2253
#15 0x00007ffff7e61160 in ?? ()
#16 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0xfffc7ffff7e766c0	-985162554317120
rcx	0x7fffffffd6c0	140737488344768
rdx	0x7ffff6907050	140737330049104
rsi	0x0	0
rdi	0x7ffff6a00048	140737331069000
rbp	0x7fffffffd270	140737488343664
rsp	0x7fffffffd240	140737488343616
r8	0x0	0
r9	0xffffc000	4294950912
r10	0x46000	286720
r11	0x7ffff6a00121	140737331069217
r12	0x8	8
r13	0x7fffffffd6f0	140737488344816
r14	0x1	1
r15	0x7ffff6914800	140737330104320
rip	0x0	0
=> 0x0:	


Not marking s-s due to debugger, but please fix this immediately since it's hard to match as a crash.
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision e5effeb8e57c).
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/3bbd0d929128
user:        Hannes Verschore
date:        Fri Aug 14 17:57:57 2015 +0200
summary:     Bug 1178834: IonMonkey - Always lazy link code, r=jandem

This iteration took 176.144 seconds to run.
Flags: needinfo?(hv1989)
Note |gczeal(14, 17)| is compacting GC zeal mode.
Have you found similar crashes recently? Or could it be it is already fixed due to our recent sprint?
Flags: needinfo?(hv1989) → needinfo?(choller)
Haven't seen any more, marking as FIXED.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(choller)
Resolution: --- → FIXED
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:bisectfix]
You need to log in before you can comment on or make changes to this bug.