Closed
Bug 1250520
Opened 9 years ago
Closed 9 years ago
Crash [@ __strlen_sse2_bsf] with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
1.41 KB,
patch
|
fitzgen
:
review+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 789a12291942 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --no-threads --disable-oom-functions):
var g = newGlobal();
var dbg = new Debugger(g);
dbg.onDebuggerStatement = function (frame) {
frame.evalWithBindings("x", g.Function.prototype());
};
g.eval("debugger;");
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
__strlen_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:50
#0 __strlen_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:50
#1 0x08539131 in js::ExpandErrorArgumentsVA (cx=cx@entry=0xf7a75020, callback=callback@entry=0x8526940 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=357, messagep=messagep@entry=0xffffa790, reportp=reportp@entry=0xffffa7a0, argumentsType=argumentsType@entry=js::ArgumentsAreASCII, ap=0xffffa848 "a\250\377\377,\224\210\t\200\034\241\367\020\034\241\367\270\250\377\001a\250\377\377\020\060", ap@entry=0xffffa844 "") at js/src/jscntxt.cpp:608
#2 0x08539422 in js::ReportErrorNumberVA (cx=0xf7a75020, flags=flags@entry=0, callback=callback@entry=0x8526940 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=357, argumentsType=argumentsType@entry=js::ArgumentsAreASCII, ap=ap@entry=0xffffa844 "") at js/src/jscntxt.cpp:744
#3 0x0853a154 in JS_ReportErrorFlagsAndNumber (cx=cx@entry=0xf7a75020, flags=0, errorCallback=0x8526940 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=357) at js/src/jsapi.cpp:5372
#4 0x08665d14 in reportIfFoundInStack (script=..., cx=0xf7a75020) at js/src/vm/Debugger.cpp:359
#5 js::Debugger::slowPathCheckNoExecute (cx=cx@entry=0xf7a75020, script=...) at js/src/vm/Debugger.cpp:399
#6 0x08743318 in checkNoExecute (script=..., cx=0xf7a75020) at js/src/vm/Debugger-inl.h:41
#7 js::RunScript (cx=cx@entry=0xf7a75020, state=...) at js/src/vm/Interpreter.cpp:392
#8 0x087437de in js::Invoke (cx=0xf7a75020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:496
#9 0x087441ae in js::Invoke (cx=cx@entry=0xf7a75020, thisv=..., fval=..., argc=0, argv=0xf6323130, rval=...) at js/src/vm/Interpreter.cpp:530
#10 0x08629542 in js::DirectProxyHandler::call (this=this@entry=0x98bb530 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0xf7a75020, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#11 0x0862dddd in js::CrossCompartmentWrapper::call (this=0x98bb530 <js::CrossCompartmentWrapper::singleton>, cx=0xf7a75020, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#12 0x0862ce82 in js::Proxy::call (cx=cx@entry=0xf7a75020, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:391
#13 0x0862cf19 in js::proxy_Call (cx=0xf7a75020, argc=0, vp=0xf6323120) at js/src/proxy/Proxy.cpp:683
#14 0x08749f0a in js::CallJSNative (cx=0xf7a75020, native=0x862cea0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#15 0x08743a32 in js::Invoke (cx=0xf7a75020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:466
#16 0x08733ab0 in Interpret (cx=cx@entry=0xf7a75020, state=...) at js/src/vm/Interpreter.cpp:2802
#17 0x0874349f in js::RunScript (cx=cx@entry=0xf7a75020, state=...) at js/src/vm/Interpreter.cpp:428
#18 0x087437de in js::Invoke (cx=0xf7a75020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:496
#19 0x087441ae in js::Invoke (cx=0xf7a75020, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0xffffb298, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:530
#20 0x0866d00b in js::Debugger::fireDebuggerStatement (this=this@entry=0xf7a55000, cx=cx@entry=0xf7a75020, vp=vp@entry=...) at js/src/vm/Debugger.cpp:1398
#21 0x0866d3ba in operator() (dbg=0xf7a55000, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:853
#22 dispatchHook<js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::__lambda3, js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::__lambda4> (fireHook=..., cx=0xf7a75020, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1602
#23 js::Debugger::slowPathOnDebuggerStatement (cx=cx@entry=0xf7a75020, frame=frame@entry=...) at js/src/vm/Debugger.cpp:854
#24 0x0873d2b9 in onDebuggerStatement (frame=..., cx=0xf7a75020) at js/src/vm/Debugger-inl.h:58
#25 Interpret (cx=cx@entry=0xf7a75020, state=...) at js/src/vm/Interpreter.cpp:3623
#26 0x0874349f in js::RunScript (cx=cx@entry=0xf7a75020, state=...) at js/src/vm/Interpreter.cpp:428
#27 0x087489db in js::ExecuteKernel (cx=cx@entry=0xf7a75020, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=evalInFrame@entry=..., result=0xffffbe30) at js/src/vm/Interpreter.cpp:684
#28 0x0824b643 in EvalKernel (cx=cx@entry=0xf7a75020, args=..., evalType=evalType@entry=INDIRECT_EVAL, caller=caller@entry=..., scopeobj=..., scopeobj@entry=..., pc=pc@entry=0x0) at js/src/builtin/Eval.cpp:332
#29 0x0824bd9b in js::IndirectEval (cx=0xf7a75020, argc=1, vp=0xffffbe30) at js/src/builtin/Eval.cpp:421
#30 0x08749f0a in js::CallJSNative (cx=0xf7a75020, native=0x824bcf0 <js::IndirectEval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#49 main (argc=5, argv=0xffffcba4, envp=0xffffcbbc) at js/src/shell/js.cpp:7120
eax 0x0 0
ebx 0x988942c 159945772
ecx 0x0 0
edx 0x0 0
esi 0x0 0
edi 0x0 0
ebp 0xffffa768 4294944616
esp 0xffffa6a4 4294944420
eip 0xf7d12e86 <__strlen_sse2_bsf+22>
=> 0xf7d12e86 <__strlen_sse2_bsf+22>: movdqu (%edi),%xmm1
0xf7d12e8a <__strlen_sse2_bsf+26>: pcmpeqb %xmm1,%xmm0
|
||
Comment 1•9 years ago
|
||
The script has no filename when reporting the error message here.
https://hg.mozilla.org/mozilla-central/annotate/5e0140b6d11821e0c2a2de25bc5431783f03380a/js/src/vm/Debugger.cpp#l359
Flags: needinfo?(shu)
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 2•9 years ago
|
||
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20160219133522" and the hash "1205efecce10f87c04a9bf2bfb91c6b5cf5f2239".
The "bad" changeset has the timestamp "20160219134321" and the hash "2feba844e67bbf6dddec9578a171b95ee896dfea".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1205efecce10f87c04a9bf2bfb91c6b5cf5f2239&tochange=2feba844e67bbf6dddec9578a171b95ee896dfea
Guessing related to bug 912337 based on the regression window.
Blocks: 912337
|
||
Comment 4•9 years ago
|
||
I have a bunch of other things I'm looking into right now, but if I can get that pile cleared out before Shu comes back from PTO, I'll look at this.
|
||
Comment 5•9 years ago
|
||
Attachment #8727602 -
Flags: review?(nfitzgerald)
|
|
||
Updated•9 years ago
|
Flags: needinfo?(shu)
|
||
Updated•9 years ago
|
Attachment #8727602 -
Flags: review?(nfitzgerald) → review+
|
||
Comment 7•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
|
|
||
Comment 8•9 years ago
|
||
Comment on attachment 8727602 [details] [diff] [review]
Handle reporting DebuggeeWouldRun when the script has no filename.
Approval Request Comment
[Feature/regressing bug #]: 912337
[User impact if declined]: crashes with the debugger open and warnings turned on
[Describe test coverage new/current, TreeHerder]: on m-c
[Risks and why]: low, bug fix only
[String/UUID change made/needed]: none
Attachment #8727602 -
Flags: approval-mozilla-aurora?
Comment on attachment 8727602 [details] [diff] [review]
Handle reporting DebuggeeWouldRun when the script has no filename.
Crash fix that baked in Nightly for over a month, Aurora48+
Attachment #8727602 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment on attachment 8727602 [details] [diff] [review]
Handle reporting DebuggeeWouldRun when the script has no filename.
This fix is already in 48 and needs to be uplifted to Beta47.
Attachment #8727602 -
Flags: approval-mozilla-aurora+ → approval-mozilla-beta+
|
|
||
Comment 11•9 years ago
|
||
| bugherder uplift | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•