Closed
Bug 1233921
Opened 8 years ago
Closed 8 years ago
Crash [@ callStackAtAddr] or Assertion failure: nativeStartAddr, at jit/JitcodeMap.h:164 with enableSingleStepProfiling
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
People
(Reporter: decoder, Assigned: jandem)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Crash Data
Attachments
(1 file)
2.27 KB,
patch
|
shu
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 66fb852962c0 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --disable-debug, run with --ion-eager --ion-offthread-compile=off): g = newGlobal(); g.parent = this; g.eval("new Debugger(parent).onExceptionUnwind = function () {}"); enableSPSProfiling(); enableSingleStepProfiling(); f(); f(); function $ERROR() { throw Error; } function f() { try { $ERROR() } catch (ex) {} } Backtrace: Program received signal SIGSEGV, Segmentation fault. callStackAtAddr (maxResults=64, results=0xffffa690, ptr=0x0, rt=0xf7a3c000, this=0xffffa660) at js/src/jit/JitcodeMap.h:793 #0 callStackAtAddr (maxResults=64, results=0xffffa690, ptr=0x0, rt=0xf7a3c000, this=0xffffa660) at js/src/jit/JitcodeMap.h:793 #1 JS::ProfilingFrameIterator::extractStack (this=this@entry=0xffffa820, frames=frames@entry=0xffffa850, offset=offset@entry=0, end=end@entry=16) at js/src/vm/Stack.cpp:2046 #2 0x0808a4d4 in SingleStepCallback (arg=<optimized out>, sim=<optimized out>, pc=0x0) at js/src/shell/js.cpp:4185 #3 0x083491eb in execute<false> (this=0xf7a85000) at js/src/jit/arm/Simulator-arm.cpp:4445 #4 js::jit::Simulator::callInternal (this=this@entry=0xf7a85000, entry=entry@entry=0xf7fc87a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4548 #5 0x0834937a in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc87a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4631 #6 0x081de8ba in EnterIon (data=..., cx=0xf7a86040) at js/src/jit/Ion.cpp:2700 #7 js::jit::IonCannon (cx=cx@entry=0xf7a86040, state=...) at js/src/jit/Ion.cpp:2804 #8 0x08489005 in js::RunScript (cx=cx@entry=0xf7a86040, state=...) at js/src/vm/Interpreter.cpp:387 #9 0x08489123 in js::Invoke (cx=0xf7a86040, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478 #10 0x08489ee2 in js::Invoke (cx=0xf7a86040, thisv=..., fval=..., argc=argc@entry=2, argv=argv@entry=0xffffaef0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:512 #11 0x08455c8a in js::Debugger::fireExceptionUnwind (this=this@entry=0xf7a9c000, cx=0xf7a86040, vp=...) at js/src/vm/Debugger.cpp:1269 #12 0x08455f3e in operator() (dbg=0xf7a9c000, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:741 #13 dispatchHook<js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::__lambda6, js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::__lambda7> (fireHook=..., cx=<optimized out>, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1444 #14 js::Debugger::slowPathOnExceptionUnwind (cx=cx@entry=0xf7a86040, frame=...) at js/src/vm/Debugger.cpp:742 #15 0x08200eee in onExceptionUnwind (frame=..., cx=0xf7a86040) at js/src/vm/Debugger-inl.h:58 #16 HandleExceptionBaseline (pc=0xf4168751 "p\231\220\210\001\216\f", rfe=<optimized out>, frame=..., cx=<optimized out>) at js/src/jit/JitFrames.cpp:718 #17 js::jit::HandleException (rfe=0xf45ffc68) at js/src/jit/JitFrames.cpp:899 #18 0x08345ea1 in js::jit::Simulator::softwareInterrupt (this=0xf7a85000, instr=0xf7a02824) at js/src/jit/arm/Simulator-arm.cpp:2321 [...] #59 main (argc=4, argv=0xffffce44, envp=0xffffce58) at js/src/shell/js.cpp:6878 eax 0xf7a3c000 -140263424 ebx 0x9431080 155390080 ecx 0x0 0 edx 0x0 0 esi 0xf7a85000 -139964416 edi 0xffffa820 -22496 ebp 0xffffa7a8 4294944680 esp 0xffffa610 4294944272 eip 0x84e02c9 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+249> => 0x84e02c9 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+249>: movl $0x319,0x0 0x84e02d3 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+259>: call 0x808f130 <abort()>
Comment 1•8 years ago
|
||
Naveed, this is a regression in beta, can we get an assignee
Flags: needinfo?(nihsanullah)
Comment 2•8 years ago
|
||
Jan please take a look and assign appropriately
Flags: needinfo?(nihsanullah) → needinfo?(jdemooij)
Assignee | ||
Comment 3•8 years ago
|
||
We were doing a debug mode exception bailout, and as part of that, setting nativeCodeForPC to nullptr. This address is later used as fake return address when we call FinishBailoutToBaseline, but the profiler doesn't like seeing a nullptr return address.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8732132 -
Flags: review?(shu)
Assignee | ||
Comment 4•8 years ago
|
||
No need to uplift this. The actual bug is also older than beta.
Comment 5•8 years ago
|
||
Comment on attachment 8732132 [details] [diff] [review] Patch Review of attachment 8732132 [details] [diff] [review]: ----------------------------------------------------------------- Good find! Thanks for the patch.
Attachment #8732132 -
Flags: review?(shu) → review+
Comment 7•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/b74d0709e0a5
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•