Closed Bug 1233921 Opened 8 years ago Closed 8 years ago

Crash [@ callStackAtAddr] or Assertion failure: nativeStartAddr, at jit/JitcodeMap.h:164 with enableSingleStepProfiling

Categories

(Core :: JavaScript Engine, defect)

ARM
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox46 --- wontfix
firefox48 --- fixed

People

(Reporter: decoder, Assigned: jandem)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 66fb852962c0 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --disable-debug, run with --ion-eager --ion-offthread-compile=off):

g = newGlobal();
g.parent = this;
g.eval("new Debugger(parent).onExceptionUnwind = function () {}");
enableSPSProfiling();
enableSingleStepProfiling();
f();
f();
function $ERROR() {
	throw Error;
}
function f() {
  try {
    $ERROR()
  } catch (ex) {}
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
callStackAtAddr (maxResults=64, results=0xffffa690, ptr=0x0, rt=0xf7a3c000, this=0xffffa660) at js/src/jit/JitcodeMap.h:793
#0  callStackAtAddr (maxResults=64, results=0xffffa690, ptr=0x0, rt=0xf7a3c000, this=0xffffa660) at js/src/jit/JitcodeMap.h:793
#1  JS::ProfilingFrameIterator::extractStack (this=this@entry=0xffffa820, frames=frames@entry=0xffffa850, offset=offset@entry=0, end=end@entry=16) at js/src/vm/Stack.cpp:2046
#2  0x0808a4d4 in SingleStepCallback (arg=<optimized out>, sim=<optimized out>, pc=0x0) at js/src/shell/js.cpp:4185
#3  0x083491eb in execute<false> (this=0xf7a85000) at js/src/jit/arm/Simulator-arm.cpp:4445
#4  js::jit::Simulator::callInternal (this=this@entry=0xf7a85000, entry=entry@entry=0xf7fc87a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4548
#5  0x0834937a in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc87a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4631
#6  0x081de8ba in EnterIon (data=..., cx=0xf7a86040) at js/src/jit/Ion.cpp:2700
#7  js::jit::IonCannon (cx=cx@entry=0xf7a86040, state=...) at js/src/jit/Ion.cpp:2804
#8  0x08489005 in js::RunScript (cx=cx@entry=0xf7a86040, state=...) at js/src/vm/Interpreter.cpp:387
#9  0x08489123 in js::Invoke (cx=0xf7a86040, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478
#10 0x08489ee2 in js::Invoke (cx=0xf7a86040, thisv=..., fval=..., argc=argc@entry=2, argv=argv@entry=0xffffaef0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:512
#11 0x08455c8a in js::Debugger::fireExceptionUnwind (this=this@entry=0xf7a9c000, cx=0xf7a86040, vp=...) at js/src/vm/Debugger.cpp:1269
#12 0x08455f3e in operator() (dbg=0xf7a9c000, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:741
#13 dispatchHook<js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::__lambda6, js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::__lambda7> (fireHook=..., cx=<optimized out>, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1444
#14 js::Debugger::slowPathOnExceptionUnwind (cx=cx@entry=0xf7a86040, frame=...) at js/src/vm/Debugger.cpp:742
#15 0x08200eee in onExceptionUnwind (frame=..., cx=0xf7a86040) at js/src/vm/Debugger-inl.h:58
#16 HandleExceptionBaseline (pc=0xf4168751 "p\231\220\210\001\216\f", rfe=<optimized out>, frame=..., cx=<optimized out>) at js/src/jit/JitFrames.cpp:718
#17 js::jit::HandleException (rfe=0xf45ffc68) at js/src/jit/JitFrames.cpp:899
#18 0x08345ea1 in js::jit::Simulator::softwareInterrupt (this=0xf7a85000, instr=0xf7a02824) at js/src/jit/arm/Simulator-arm.cpp:2321
[...]
#59 main (argc=4, argv=0xffffce44, envp=0xffffce58) at js/src/shell/js.cpp:6878
eax	0xf7a3c000	-140263424
ebx	0x9431080	155390080
ecx	0x0	0
edx	0x0	0
esi	0xf7a85000	-139964416
edi	0xffffa820	-22496
ebp	0xffffa7a8	4294944680
esp	0xffffa610	4294944272
eip	0x84e02c9 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+249>
=> 0x84e02c9 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+249>:	movl   $0x319,0x0
   0x84e02d3 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+259>:	call   0x808f130 <abort()>
Naveed, this is a regression in beta, can we get an assignee
Flags: needinfo?(nihsanullah)
Jan please take a look and assign appropriately
Flags: needinfo?(nihsanullah) → needinfo?(jdemooij)
Attached patch PatchSplinter Review
We were doing a debug mode exception bailout, and as part of that, setting nativeCodeForPC to nullptr.

This address is later used as fake return address when we call FinishBailoutToBaseline, but the profiler doesn't like seeing a nullptr return address.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8732132 - Flags: review?(shu)
No need to uplift this. The actual bug is also older than beta.
Comment on attachment 8732132 [details] [diff] [review]
Patch

Review of attachment 8732132 [details] [diff] [review]:
-----------------------------------------------------------------

Good find! Thanks for the patch.
Attachment #8732132 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/b74d0709e0a5
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.