Closed Bug 1269721 Opened 6 years ago Closed 3 years ago

Crash [@ callStackAtAddr] or Assertion failure: success, at jit/JitcodeMap.h:1038 with Debugger

Categories

(Core :: JavaScript Engine, defect)

ARM
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1427774
Tracking Status
firefox49 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update,testComment=8,origRev=5f1db4de173d,ignore])

Crash Data

The following testcase crashes on mozilla-central revision 77cead2cd203 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --disable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

enableSPSProfiling();
enableSingleStepProfiling();
g = newGlobal();
dbg = Debugger(g);
function testHookRemoval() {
  dbg.removeDebuggee(g);
}
testDebuggerHooksNX(dbg, g, testHookRemoval);
function testDebuggerHooksNX(dbg, g, testHook) {
  dbg.onEnterFrame = (frame) => {
    frame.onStep = () => {
      testHook("onPop");
    };
  };
  g.eval(`debugger; s = 'a'`);
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
callStackAtAddr (maxResults=64, results=0xffff9d50, ptr=0xf7fd609c, rt=0xf7a3c000, this=0xffff9d20) at js/src/jit/JitcodeMap.h:793
#0  callStackAtAddr (maxResults=64, results=0xffff9d50, ptr=0xf7fd609c, rt=0xf7a3c000, this=0xffff9d20) at js/src/jit/JitcodeMap.h:793
#1  JS::ProfilingFrameIterator::extractStack (this=this@entry=0xffff9ef0, frames=frames@entry=0xffff9f20, offset=offset@entry=0, end=end@entry=16) at js/src/vm/Stack.cpp:1981
#2  0x080910ac in SingleStepCallback (arg=<optimized out>, sim=<optimized out>, pc=0x0) at js/src/shell/js.cpp:4578
#3  0x08370ce0 in js::jit::Simulator::softwareInterrupt (this=0xf7a1c000, instr=0xf411d484) at js/src/jit/arm/Simulator-arm.cpp:2554
#4  0x0837130d in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a1c000, instr=instr@entry=0xf411d484) at js/src/jit/arm/Simulator-arm.cpp:3502
#5  0x083727fc in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a1c000, instr=instr@entry=0xf411d484) at js/src/jit/arm/Simulator-arm.cpp:4424
#6  0x08372d7c in execute<false> (this=0xf7a1c000) at js/src/jit/arm/Simulator-arm.cpp:4479
#7  js::jit::Simulator::callInternal (this=this@entry=0xf7a1c000, entry=entry@entry=0xf7fc87a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4567
#8  0x08372fca in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc87a8 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4650
#9  0x0822bedc in EnterIon (data=..., cx=0xf7a77040) at js/src/jit/Ion.cpp:2767
#10 js::jit::IonCannon (cx=cx@entry=0xf7a77040, state=...) at js/src/jit/Ion.cpp:2863
#11 0x084fafbe in js::RunScript (cx=cx@entry=0xf7a77040, state=...) at js/src/vm/Interpreter.cpp:406
#12 0x084fb0e0 in js::InternalCallOrConstruct (cx=0xf7a77040, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#13 0x084fb566 in InternalCall (cx=cx@entry=0xf7a77040, args=...) at js/src/vm/Interpreter.cpp:525
#14 0x084fb5ed in js::CallFromStack (cx=cx@entry=0xf7a77040, args=...) at js/src/vm/Interpreter.cpp:531
#15 0x0818aa47 in js::jit::DoCallFallback (cx=0xf7a77040, frame=frame@entry=0xf45ffb78, stub_=stub_@entry=0xf420f050, argc=argc@entry=1, vp=vp@entry=0xf45ffb38, res=res@entry=...) at js/src/jit/BaselineIC.cpp:5969
#16 0x08370f89 in js::jit::Simulator::softwareInterrupt (this=0xf7a1c000, instr=0xf411d484) at js/src/jit/arm/Simulator-arm.cpp:2380
[...]
#28 0x084760ba in Call (rval=..., thisObj=<optimized out>, fval=..., cx=0xf7a77040) at js/src/vm/Interpreter.h:101
#29 js::Debugger::onSingleStep (cx=cx@entry=0xf7a77040, vp=vp@entry=...) at js/src/vm/Debugger.cpp:1806
#30 0x082e7690 in js::jit::HandleDebugTrap (cx=0xf7a77040, frame=frame@entry=0xf45ffc70, retAddr=retAddr@entry=0xf7fd49f0 "\004\260-\345\234\307\b\343\250\307O\343\004\300-\345\v \240\341$ B\342\004 -\345(\340\240\343\024\340\v\345!\304\003\343\004\300-\345\340\303\t\343\374\307O\343<\377/\341\004\260\235", <incomplete sequence \344>, mustReturn=mustReturn@entry=0xf45ffc44) at js/src/jit/VMFunctions.cpp:935
#31 0x08370aff in js::jit::Simulator::softwareInterrupt (this=0xf7a1c000, instr=0xf7a02d14) at js/src/jit/arm/Simulator-arm.cpp:2366
[...]
#86 main (argc=5, argv=0xffffcca4, envp=0xffffccbc) at js/src/shell/js.cpp:7483
eax	0xf7a3c000	-140263424
ebx	0x94e3418	156120088
ecx	0xf7fd609c	-134389604
edx	0x0	0
esi	0xf4203bb0	-199214160
edi	0xffff9ef0	-24848
ebp	0xffff9e68	4294942312
esp	0xffff9cd0	4294941904
eip	0x85692a9 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+249>
=> 0x85692a9 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+249>:	movl   $0x319,0x0
   0x85692b3 <JS::ProfilingFrameIterator::extractStack(JS::ProfilingFrameIterator::Frame*, unsigned int, unsigned int) const+259>:	call   0x80972f0 <abort()>
Possibly similar to bug 1275268?
See Also: → 1275268
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Simulator is on the stack and bug 1275268 may also be related, so setting needinfo? from Sean as a start.
Flags: needinfo?(sstangl)
Forwarding to djvj because jit profiling stuff.
Flags: needinfo?(jdemooij) → needinfo?(kvijayan)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Whiteboard: [jsbugmon:update,testComment=3,origRev=5f1db4de173d] → [jsbugmon:testComment=3,origRev=5f1db4de173d]
enableGeckoProfiling();
enableSingleStepProfiling();
g = newGlobal();
dbg = Debugger(g);
function testHookRemoval() {
  dbg.removeDebuggee(g);
}
testDebuggerHooksNX(dbg, g, testHookRemoval);
function testDebuggerHooksNX(dbg, g, testHook) {
  dbg.onEnterFrame = (frame) => {
      frame.onStep = () => {
            testHook("onPop");
          };
    };
  g.eval(`debugger; s = 'a'`);
}

Still reproduces on m-c rev 5f1db4de173d, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager
Whiteboard: [jsbugmon:testComment=3,origRev=5f1db4de173d] → [jsbugmon:update,testComment=8,origRev=5f1db4de173d]
autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/70a8168c7d24
user:        Kannan Vijayan
date:        Thu Jan 15 20:11:21 2015 -0500
summary:     Bug 1057082 - 3/7 - Modify jits to use lastProfilingFrame and lastProfilingCallSite fields. r=jandem

I managed to bisect this. Kannan, is bug 1057082 a likely regressor?
Blocks: 1057082
Flags: needinfo?(sstangl)
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
Reopening because crash bugs **with testcases** should not be resolved **as WONTFIX** based on queries of crash-stats.  Other resolutions may be appropriate for other reasons.

(Crash signatures are not the same as bug identity; they're merely a search aid to find and group similar crashes.  The bug may still be present, but the signature may have changed slightly, or the bug may even still be present with the same signature but there are simply no recent reports of crashes in that function.)
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Whiteboard: [jsbugmon:update,testComment=8,origRev=5f1db4de173d] → [jsbugmon:update,testComment=8,origRev=5f1db4de173d,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision cbeaa2d94304).
autobisectjs shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/c4825f987736
user:        Iain Ireland
date:        Mon Oct 22 18:36:06 2018 +0000
summary:     Bug 1427774: Fix baseline return address more consistently in JSJitProfilingFrameIterator r=djvj

Iain, is bug 1427774 a likely fix?
Flags: needinfo?(kvijayan) → needinfo?(iireland)
Yes, this looks like a duplicate of that bug.
Flags: needinfo?(iireland)
Thanks! Duping to bug 1427774 as per comment 14.
Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1427774
You need to log in before you can comment on or make changes to this bug.