Closed Bug 1238793 Opened 8 years ago Closed 8 years ago

Hit MOZ_CRASH(Invalid frame type prior to exit frame.) at jit/JitFrames.cpp:3072 or Crash [@ js::jit::JitProfilingFrameIterator::JitProfilingFrameIterator]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox46 --- wontfix

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect,ignore])

Crash Data

The following testcase crashes on mozilla-central revision 6020a4cb41a7 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager):

lfcode = Array();
lfcode.push = loadFile;
lfcode.push("");
lfcode.push(`
    g = newGlobal();
    g.parent = this;
    g.eval("Debugger(parent).onIonCompilation = function() {};");
    enableSPSProfiling();
    enableSingleStepProfiling();
`)
lfcode.push("");
lfcode.push("");
function loadFile(lfVarx) {
  if (lfVarx.substr(3)) {
    switch (lfRunTypeId) {
      default: evaluate(lfVarx)
    } 
  } else lfRunTypeId = lfVarx;
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0832ef2d in js::jit::JitProfilingFrameIterator::JitProfilingFrameIterator (this=0xffffa980, exitFrame=0xf59ffd58) at js/src/jit/JitFrames.cpp:3072
#0  0x0832ef2d in js::jit::JitProfilingFrameIterator::JitProfilingFrameIterator (this=0xffffa980, exitFrame=0xf59ffd58) at js/src/jit/JitFrames.cpp:3072
#1  0x0872bad0 in JS::ProfilingFrameIterator::iteratorConstruct (this=this@entry=0xffffa970) at js/src/vm/Stack.cpp:1935
#2  0x0872c016 in JS::ProfilingFrameIterator::settle (this=this@entry=0xffffa970) at js/src/vm/Stack.cpp:1901
#3  0x0872c227 in JS::ProfilingFrameIterator::ProfilingFrameIterator (this=0xffffa970, rt=0xf7a3c000, state=..., sampleBufferGen=4294967295) at js/src/vm/Stack.cpp:1861
#4  0x080ebe05 in SingleStepCallback (arg=0xf7a3c000, sim=0xf7a77000, pc=0x0) at js/src/shell/js.cpp:4194
#5  0x084f8aab in execute<false> (this=0xf7a77000) at js/src/jit/arm/Simulator-arm.cpp:4444
#6  js::jit::Simulator::callInternal (this=this@entry=0xf7a77000, entry=entry@entry=0xf7fc8a70 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4547
#7  0x084f8eb5 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8a70 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4630
#8  0x0822fe8b in EnterBaseline (cx=cx@entry=0xf7a78020, data=...) at js/src/jit/BaselineJIT.cpp:135
#9  0x0823b09d in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a78020, state=...) at js/src/jit/BaselineJIT.cpp:173
#10 0x086b4bf8 in js::RunScript (cx=cx@entry=0xf7a78020, state=...) at js/src/vm/Interpreter.cpp:414
#11 0x086b4ede in js::Invoke (cx=0xf7a78020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:495
#12 0x086b59ae in js::Invoke (cx=0xf7a78020, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0xffffb360, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:529
#13 0x0864dae7 in js::Debugger::fireOnIonCompilationHook (this=this@entry=0xf7a4e000, cx=cx@entry=0xf7a78020, scripts=scripts@entry=..., graph=...) at js/src/vm/Debugger.cpp:1407
#14 0x0864deca in operator() (dbg=0xf7a4e000, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:1738
#15 dispatchHook<js::Debugger::slowPathOnIonCompilation(JSContext*, JS::Handle<js::TraceableVector<JSScript*> >, js::LSprinter&)::__lambda10, js::Debugger::slowPathOnIonCompilation(JSContext*, JS::Handle<js::TraceableVector<JSScript*> >, js::LSprinter&)::__lambda11> (fireHook=..., cx=0xf7a78020, cx@entry=0xffffb490, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1444
#16 js::Debugger::slowPathOnIonCompilation (cx=cx@entry=0xf7a78020, scripts=scripts@entry=..., graph=...) at js/src/vm/Debugger.cpp:1740
#17 0x0830c419 in onIonCompilation (graph=..., scripts=..., cx=0xf7a78020) at js/src/vm/Debugger-inl.h:81
#18 js::jit::LazyLink (cx=cx@entry=0xf7a78020, calleeScript=calleeScript@entry=...) at js/src/jit/Ion.cpp:653
#19 0x0830c729 in js::jit::LazyLinkTopActivation (cx=cx@entry=0xf7a78020) at js/src/jit/Ion.cpp:667
#20 0x084f676b in js::jit::Simulator::softwareInterrupt (this=0xf7a77000, instr=0xf551d334) at js/src/jit/arm/Simulator-arm.cpp:2320
#21 0x084f6c66 in js::jit::Simulator::decodeType7 (this=0xf7a77000, instr=0xf551d334) at js/src/jit/arm/Simulator-arm.cpp:3482
#22 0x084f4c25 in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a77000, instr=instr@entry=0xf551d334) at js/src/jit/arm/Simulator-arm.cpp:4404
[...]
#49 main (argc=5, argv=0xffffce24, envp=0xffffce3c) at js/src/shell/js.cpp:6918
eax	0x0	0
ebx	0x980943c	159421500
ecx	0xf7e3b88c	-136071028
edx	0x0	0
esi	0xf59ffd58	-174064296
edi	0x0	0
ebp	0xffffa868	4294944872
esp	0xffffa840	4294944832
eip	0x832ef2d <js::jit::JitProfilingFrameIterator::JitProfilingFrameIterator(void*)+605>
=> 0x832ef2d <js::jit::JitProfilingFrameIterator::JitProfilingFrameIterator(void*)+605>:	movl   $0xc00,0x0
   0x832ef37 <js::jit::JitProfilingFrameIterator::JitProfilingFrameIterator(void*)+615>:	call   0x80f8c10 <abort()>
Depends on: 1244215
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 1dbe350b57b1).
Yup, fixed by bug 1244215.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
This was fixed in 47 but too late to uplift to beta 46. Wontfix.
status-firefox46: affectedwontfix
You need to log in before you can comment on or make changes to this bug.