Crash [@ js::jit::SnapshotIterator::fromInstructionResult] with Debugger

RESOLVED FIXED in Firefox 48

Status

()

defect
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
mozilla48
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox48 fixed)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):

try {
  evaluate(` 
    function runTestCase() $ERROR()
    function $ERROR() {
      throw Error
    }
    Object.defineProperty(this, "x", { value: 0 });
    setJitCompilerOption("ion.warmup.trigger", 0)
  `)
  evaluate(`function f() {} f(x)`)
  runTestCase()
} catch (exc) {}
evaluate(`
  g = newGlobal()
  g.parent = this
  g.eval("(" + function() {
    Debugger(parent).onExceptionUnwind = function(frame) {
      frame.older
    }
  } + ")()")
  try { $ERROR() } catch(e){}
`)
evaluate(`
  x ^= null;
  if (x = 1)
    $ERROR()
`);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::jit::SnapshotIterator::fromInstructionResult (this=0x7fffffff98b0, index=0) at js/src/jit/JitFrames.cpp:2148
#0  js::jit::SnapshotIterator::fromInstructionResult (this=0x7fffffff98b0, index=0) at js/src/jit/JitFrames.cpp:2148
#1  0x00000000006d292e in js::jit::SnapshotIterator::allocationValue (this=this@entry=0x7fffffff98b0, alloc=..., rm=rm@entry=js::jit::SnapshotIterator::RM_Normal) at js/src/jit/JitFrames.cpp:1869
#2  0x00000000007c266c in js::jit::SnapshotIterator::read (this=0x7fffffff98b0) at js/src/jit/JitFrameIterator.h:542
#3  0x00000000007c81bf in js::jit::InlineFrameIterator::readFrameArgsAndLocals<CopyValueToRematerializedFrame, CopyValueToRematerializedFrame> (this=this@entry=0x7fffffffa000, cx=cx@entry=0x7ffff6908800, argOp=..., localOp=..., scopeChain=scopeChain@entry=0x7ffff69c60b0, hasCallObj=hasCallObj@entry=0x7ffff69c6082, rval=rval@entry=0x7ffff69c60c8, argsObj=argsObj@entry=0x7ffff69c60c0, thisv=thisv@entry=0x7ffff69c60d0, behavior=behavior@entry=js::jit::ReadFrame_Actuals, fallback=...) at js/src/jit/JitFrameIterator.h:712
#4  0x00000000007ba474 in js::jit::RematerializedFrame::RematerializedFrame (this=0x7ffff69c6080, cx=0x7ffff6908800, top=0x7fffffffbeb0 "͋\376\367\377\177", numActualArgs=<optimized out>, iter=..., fallback=...) at js/src/jit/RematerializedFrame.cpp:55
#5  0x00000000007ba5a1 in js::jit::RematerializedFrame::New (cx=cx@entry=0x7ffff6908800, top=top@entry=0x7fffffffbeb0 "͋\376\367\377\177", iter=..., fallback=...) at js/src/jit/RematerializedFrame.cpp:72
#6  0x00000000007bdaf9 in js::jit::RematerializedFrame::RematerializeInlineFrames (cx=cx@entry=0x7ffff6908800, top=0x7fffffffbeb0 "͋\376\367\377\177", iter=..., fallback=..., frames=...) at js/src/jit/RematerializedFrame.cpp:87
#7  0x0000000000b3886d in js::jit::JitActivation::getRematerializedFrame (this=<optimized out>, cx=cx@entry=0x7ffff6908800, iter=..., inlineDepth=inlineDepth@entry=0) at js/src/vm/Stack.cpp:1593
#8  0x0000000000b38eac in js::FrameIter::ensureHasRematerializedFrame (this=this@entry=0x7fffffffa438, cx=cx@entry=0x7ffff6908800) at js/src/vm/Stack.cpp:988
#9  0x00000000009f36bc in DebuggerFrame_getOlder (cx=0x7ffff6908800, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:6943
#10 0x00007ffff7fdb991 in ?? ()
#11 0x00007ffff7e9e040 in ?? ()
#12 0x00007fffffffa8e0 in ?? ()
#13 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffff9800	140737488328704
rcx	0x6d2910	7153936
rdx	0xffffffffff85ff10	-7995632
rsi	0x0	0
rdi	0x7fffffff98b0	140737488328880
rbp	0x7fffffff97c0	140737488328640
rsp	0x7fffffff97c0	140737488328640
r8	0x0	0
r9	0x7ffff31f33c5	140737272296389
r10	0x7fffffff9ab0	140737488329392
r11	0x7ffff69012d8	140737330025176
r12	0x7fffffff98b0	140737488328880
r13	0x7fffffff9df0	140737488330224
r14	0x7fffffff9df0	140737488330224
r15	0x7fffffffa000	140737488330752
rip	0x6d263d <js::jit::SnapshotIterator::fromInstructionResult(unsigned int) const+13>
=> 0x6d263d <js::jit::SnapshotIterator::fromInstructionResult(unsigned int) const+13>:	mov    (%rax),%rax
   0x6d2640 <js::jit::SnapshotIterator::fromInstructionResult(unsigned int) const+16>:	cmpb   $0x0,0x28(%rax)
Flags: needinfo?(shu)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151201015934" and the hash "9c0499a3aacc1c7e07b171c5e5e091e3471a6faa".
The "bad" changeset has the timestamp "20151201020234" and the hash "33d2af1ba94ed5048425e086c06668316b06a8b6".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9c0499a3aacc1c7e07b171c5e5e091e3471a6faa&tochange=33d2af1ba94ed5048425e086c06668316b06a8b6
Flags: needinfo?(shu)
Attachment #8742459 - Flags: review?(nicolas.b.pierron) → review+
https://hg.mozilla.org/mozilla-central/rev/76830a19c86a
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.