Closed
Bug 1263899
Opened 8 years ago
Closed 8 years ago
Crash [@ js::jit::SnapshotIterator::fromInstructionResult] with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
Tracking | Status | |
---|---|---|
firefox48 | --- | fixed |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off): try { evaluate(` function runTestCase() $ERROR() function $ERROR() { throw Error } Object.defineProperty(this, "x", { value: 0 }); setJitCompilerOption("ion.warmup.trigger", 0) `) evaluate(`function f() {} f(x)`) runTestCase() } catch (exc) {} evaluate(` g = newGlobal() g.parent = this g.eval("(" + function() { Debugger(parent).onExceptionUnwind = function(frame) { frame.older } } + ")()") try { $ERROR() } catch(e){} `) evaluate(` x ^= null; if (x = 1) $ERROR() `); Backtrace: Program received signal SIGSEGV, Segmentation fault. js::jit::SnapshotIterator::fromInstructionResult (this=0x7fffffff98b0, index=0) at js/src/jit/JitFrames.cpp:2148 #0 js::jit::SnapshotIterator::fromInstructionResult (this=0x7fffffff98b0, index=0) at js/src/jit/JitFrames.cpp:2148 #1 0x00000000006d292e in js::jit::SnapshotIterator::allocationValue (this=this@entry=0x7fffffff98b0, alloc=..., rm=rm@entry=js::jit::SnapshotIterator::RM_Normal) at js/src/jit/JitFrames.cpp:1869 #2 0x00000000007c266c in js::jit::SnapshotIterator::read (this=0x7fffffff98b0) at js/src/jit/JitFrameIterator.h:542 #3 0x00000000007c81bf in js::jit::InlineFrameIterator::readFrameArgsAndLocals<CopyValueToRematerializedFrame, CopyValueToRematerializedFrame> (this=this@entry=0x7fffffffa000, cx=cx@entry=0x7ffff6908800, argOp=..., localOp=..., scopeChain=scopeChain@entry=0x7ffff69c60b0, hasCallObj=hasCallObj@entry=0x7ffff69c6082, rval=rval@entry=0x7ffff69c60c8, argsObj=argsObj@entry=0x7ffff69c60c0, thisv=thisv@entry=0x7ffff69c60d0, behavior=behavior@entry=js::jit::ReadFrame_Actuals, fallback=...) at js/src/jit/JitFrameIterator.h:712 #4 0x00000000007ba474 in js::jit::RematerializedFrame::RematerializedFrame (this=0x7ffff69c6080, cx=0x7ffff6908800, top=0x7fffffffbeb0 "͋\376\367\377\177", numActualArgs=<optimized out>, iter=..., fallback=...) at js/src/jit/RematerializedFrame.cpp:55 #5 0x00000000007ba5a1 in js::jit::RematerializedFrame::New (cx=cx@entry=0x7ffff6908800, top=top@entry=0x7fffffffbeb0 "͋\376\367\377\177", iter=..., fallback=...) at js/src/jit/RematerializedFrame.cpp:72 #6 0x00000000007bdaf9 in js::jit::RematerializedFrame::RematerializeInlineFrames (cx=cx@entry=0x7ffff6908800, top=0x7fffffffbeb0 "͋\376\367\377\177", iter=..., fallback=..., frames=...) at js/src/jit/RematerializedFrame.cpp:87 #7 0x0000000000b3886d in js::jit::JitActivation::getRematerializedFrame (this=<optimized out>, cx=cx@entry=0x7ffff6908800, iter=..., inlineDepth=inlineDepth@entry=0) at js/src/vm/Stack.cpp:1593 #8 0x0000000000b38eac in js::FrameIter::ensureHasRematerializedFrame (this=this@entry=0x7fffffffa438, cx=cx@entry=0x7ffff6908800) at js/src/vm/Stack.cpp:988 #9 0x00000000009f36bc in DebuggerFrame_getOlder (cx=0x7ffff6908800, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:6943 #10 0x00007ffff7fdb991 in ?? () #11 0x00007ffff7e9e040 in ?? () #12 0x00007fffffffa8e0 in ?? () #13 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fffffff9800 140737488328704 rcx 0x6d2910 7153936 rdx 0xffffffffff85ff10 -7995632 rsi 0x0 0 rdi 0x7fffffff98b0 140737488328880 rbp 0x7fffffff97c0 140737488328640 rsp 0x7fffffff97c0 140737488328640 r8 0x0 0 r9 0x7ffff31f33c5 140737272296389 r10 0x7fffffff9ab0 140737488329392 r11 0x7ffff69012d8 140737330025176 r12 0x7fffffff98b0 140737488328880 r13 0x7fffffff9df0 140737488330224 r14 0x7fffffff9df0 140737488330224 r15 0x7fffffffa000 140737488330752 rip 0x6d263d <js::jit::SnapshotIterator::fromInstructionResult(unsigned int) const+13> => 0x6d263d <js::jit::SnapshotIterator::fromInstructionResult(unsigned int) const+13>: mov (%rax),%rax 0x6d2640 <js::jit::SnapshotIterator::fromInstructionResult(unsigned int) const+16>: cmpb $0x0,0x28(%rax)
Updated•8 years ago
|
Flags: needinfo?(shu)
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151201015934" and the hash "9c0499a3aacc1c7e07b171c5e5e091e3471a6faa". The "bad" changeset has the timestamp "20151201020234" and the hash "33d2af1ba94ed5048425e086c06668316b06a8b6". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9c0499a3aacc1c7e07b171c5e5e091e3471a6faa&tochange=33d2af1ba94ed5048425e086c06668316b06a8b6
Comment 2•8 years ago
|
||
Attachment #8742459 -
Flags: review?(nicolas.b.pierron)
Updated•8 years ago
|
Flags: needinfo?(shu)
Updated•8 years ago
|
Attachment #8742459 -
Flags: review?(nicolas.b.pierron) → review+
Comment 4•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/76830a19c86a
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•