1275268 - Crash [@ JS::ProfilingFrameIterator::getPhysicalFrameAndEntry] or Assertion failure: entry, at jit/JitcodeMap.h:1038 with Debugger

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 16663eb3dcfa (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --disable-debug, run with --fuzzing-safe --baseline-eager --ion-offthread-compile=off):

enableSPSProfiling();
enableSingleStepProfiling();
function removeAdd()
  dbg.removeDebuggee(g)
g = newGlobal();
dbg = Debugger(g);
g.eval("" + function f() {});
function testTrap(toggleSeq) {
    dbg.onEnterFrame = function(f)
    f.script.setBreakpoint(0, {
        hit() {
            toggleSeq()
        }
    })
    assertEq(g.f());
}
testTrap(removeAdd);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
JS::ProfilingFrameIterator::getPhysicalFrameAndEntry (this=this@entry=0xffff9fd0, entry=entry@entry=0xffff9e00) at js/src/vm/Stack.cpp:1943
#0  JS::ProfilingFrameIterator::getPhysicalFrameAndEntry (this=this@entry=0xffff9fd0, entry=entry@entry=0xffff9e00) at js/src/vm/Stack.cpp:1943
#1  0x0852734c in JS::ProfilingFrameIterator::extractStack (this=this@entry=0xffff9fd0, frames=frames@entry=0xffffa000, offset=offset@entry=0, end=end@entry=16) at js/src/vm/Stack.cpp:1967
#2  0x08091bdc in SingleStepCallback (arg=<optimized out>, sim=<optimized out>, pc=0x0) at js/src/shell/js.cpp:4565
#3  0x0834dc90 in js::jit::Simulator::softwareInterrupt (this=0xf7a1c000, instr=0xf7a02a34) at js/src/jit/arm/Simulator-arm.cpp:2554
#4  0x0834e2bd in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a1c000, instr=instr@entry=0xf7a02a34) at js/src/jit/arm/Simulator-arm.cpp:3502
#5  0x0834e5fc in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a1c000, instr=instr@entry=0xf7a02a34) at js/src/jit/arm/Simulator-arm.cpp:4424
#6  0x0835112c in execute<false> (this=0xf7a1c000) at js/src/jit/arm/Simulator-arm.cpp:4479
#7  js::jit::Simulator::callInternal (this=this@entry=0xf7a1c000, entry=entry@entry=0xf7fc8840 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4567
#8  0x0835137a in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8840 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4650
#9  0x08169e30 in EnterBaseline (cx=cx@entry=0xf7a77040, data=...) at js/src/jit/BaselineJIT.cpp:150
#10 0x08179b9f in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a77040, state=...) at js/src/jit/BaselineJIT.cpp:188
#11 0x084bd07b in js::RunScript (cx=cx@entry=0xf7a77040, state=...) at js/src/vm/Interpreter.cpp:416
#12 0x084bd230 in js::InternalCallOrConstruct (cx=0xf7a77040, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#13 0x084bd6b6 in InternalCall (cx=cx@entry=0xf7a77040, args=...) at js/src/vm/Interpreter.cpp:525
#14 0x084bd73d in js::CallFromStack (cx=cx@entry=0xf7a77040, args=...) at js/src/vm/Interpreter.cpp:531
#15 0x0874a387 in js::jit::DoCallFallback (cx=0xf7a77040, frame=frame@entry=0xf45ffba0, stub_=stub_@entry=0xf7a91050, argc=argc@entry=0, vp=vp@entry=0xf45ffb70, res=res@entry=...) at js/src/jit/BaselineIC.cpp:5973
#16 0x0834df39 in js::jit::Simulator::softwareInterrupt (this=0xf7a1c000, instr=0xf7a02a34) at js/src/jit/arm/Simulator-arm.cpp:2380
#17 0x0834e2bd in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a1c000, instr=instr@entry=0xf7a02a34) at js/src/jit/arm/Simulator-arm.cpp:3502
#18 0x0834e5fc in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a1c000, instr=instr@entry=0xf7a02a34) at js/src/jit/arm/Simulator-arm.cpp:4424
#19 0x0835112c in execute<false> (this=0xf7a1c000) at js/src/jit/arm/Simulator-arm.cpp:4479
#20 js::jit::Simulator::callInternal (this=this@entry=0xf7a1c000, entry=entry@entry=0xf7fc8840 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4567
#21 0x0835137a in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8840 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4650
#22 0x08169e30 in EnterBaseline (cx=cx@entry=0xf7a77040, data=...) at js/src/jit/BaselineJIT.cpp:150
#23 0x08179b9f in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a77040, state=...) at js/src/jit/BaselineJIT.cpp:188
#24 0x084bd07b in js::RunScript (cx=cx@entry=0xf7a77040, state=...) at js/src/vm/Interpreter.cpp:416
#25 0x084bd230 in js::InternalCallOrConstruct (cx=0xf7a77040, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#26 0x084bd6b6 in InternalCall (cx=cx@entry=0xf7a77040, args=...) at js/src/vm/Interpreter.cpp:525
#27 0x084bd774 in js::Call (cx=cx@entry=0xf7a77040, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:544
#28 0x08453320 in CallMethodIfPresent (name=0x890aadf "hit", argc=1, rval=..., argv=0xffffae58, obj=..., cx=0xf7a77040) at js/src/vm/Debugger.cpp:1471
#29 js::Debugger::onTrap (cx=cx@entry=0xf7a77040, vp=vp@entry=...) at js/src/vm/Debugger.cpp:1730
#30 0x082f8298 in js::jit::HandleDebugTrap (cx=0xf7a77040, frame=frame@entry=0xf45ffc98, retAddr=retAddr@entry=0xf7fd2f88 "}0\340", <incomplete sequence \343>, mustReturn=mustReturn@entry=0xf45ffc6c) at js/src/jit/VMFunctions.cpp:938
#31 0x0834daaf in js::jit::Simulator::softwareInterrupt (this=0xf7a1c000, instr=0xf7a02ea4) at js/src/jit/arm/Simulator-arm.cpp:2366
#32 0x0834e2bd in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a1c000, instr=instr@entry=0xf7a02ea4) at js/src/jit/arm/Simulator-arm.cpp:3502
#33 0x0834e5fc in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a1c000, instr=instr@entry=0xf7a02ea4) at js/src/jit/arm/Simulator-arm.cpp:4424
#34 0x0835112c in execute<false> (this=0xf7a1c000) at js/src/jit/arm/Simulator-arm.cpp:4479
#35 js::jit::Simulator::callInternal (this=this@entry=0xf7a1c000, entry=entry@entry=0xf7fc8840 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4567
#36 0x0835137a in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8840 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4650
#37 0x08169e30 in EnterBaseline (cx=cx@entry=0xf7a77040, data=...) at js/src/jit/BaselineJIT.cpp:150
#38 0x08179b9f in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a77040, state=...) at js/src/jit/BaselineJIT.cpp:188
#39 0x084bd07b in js::RunScript (cx=cx@entry=0xf7a77040, state=...) at js/src/vm/Interpreter.cpp:416
#40 0x084bd230 in js::InternalCallOrConstruct (cx=0xf7a77040, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#41 0x084bd6b6 in InternalCall (cx=cx@entry=0xf7a77040, args=...) at js/src/vm/Interpreter.cpp:525
#42 0x084bd774 in js::Call (cx=cx@entry=0xf7a77040, fval=fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:544
#43 0x08430257 in js::Wrapper::call (this=this@entry=0x952f3cc <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0xf7a77040, proxy=proxy@entry=..., args=...) at js/src/proxy/Wrapper.cpp:163
#44 0x08426254 in js::CrossCompartmentWrapper::call (this=0x952f3cc <js::CrossCompartmentWrapper::singleton>, cx=0xf7a77040, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:309
#45 0x0841d4e8 in js::Proxy::call (cx=cx@entry=0xf7a77040, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:399
#46 0x0841dfb3 in js::proxy_Call (cx=cx@entry=0xf7a77040, argc=0, vp=0xf45ffd90) at js/src/proxy/Proxy.cpp:691
#47 0x084bd64e in CallJSNative (args=..., native=0x841df50 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, cx=0xf7a77040) at js/src/jscntxtinlines.h:235
#48 js::InternalCallOrConstruct (cx=0xf7a77040, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:468
#49 0x084bd6b6 in InternalCall (cx=cx@entry=0xf7a77040, args=...) at js/src/vm/Interpreter.cpp:525
#50 0x084bd73d in js::CallFromStack (cx=cx@entry=0xf7a77040, args=...) at js/src/vm/Interpreter.cpp:531
#51 0x0874a387 in js::jit::DoCallFallback (cx=0xf7a77040, frame=frame@entry=0xf45ffdd0, stub_=stub_@entry=0xf7a92168, argc=argc@entry=0, vp=vp@entry=0xf45ffd90, res=res@entry=...) at js/src/jit/BaselineIC.cpp:5973
[...]
#82 main (argc=5, argv=0xffffccb4, envp=0xffffcccc) at js/src/shell/js.cpp:7470
eax	0x0	0
ebx	0x94feb18	156232472
ecx	0xffffffff	-1
edx	0xf403b208	-201084408
esi	0xffff9de0	-25120
edi	0xffff9e00	-25088
ebp	0xffff9fd0	4294942672
esp	0xffff9d70	4294942064
eip	0x85271e2 <JS::ProfilingFrameIterator::getPhysicalFrameAndEntry(js::jit::JitcodeGlobalEntry*) const+162>
=> 0x85271e2 <JS::ProfilingFrameIterator::getPhysicalFrameAndEntry(js::jit::JitcodeGlobalEntry*) const+162>:	mov    (%eax),%edx
   0x85271e4 <JS::ProfilingFrameIterator::getPhysicalFrameAndEntry(js::jit::JitcodeGlobalEntry*) const+164>:	mov    %edx,(%edi)

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This seems to go back before mid-June 2015 m-c rev 25e99bc12482.

Since ARM stuff is on the stack, I'm setting needinfo? from Jakob as a start, but please feel free to move it on as necessary.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

But then again, also adding Debugger folks on cc in case this is more on the Debugger side.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Bug 1269721 might be related.

Comment 4

[Jakob Stoklund Olesen [:jolesen]]

I don't recognize much in this backtrace, :fitzgen do you?

Comment 5

[Nick Fitzgerald [:fitzgen] [⏰PST; UTC-8]]

I tried to reproduce, but couldn't get an arm simulator build going. Punting to folks who worked on the profiler integration.

Comment 6

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Setting needinfo? from Sean since ARM might be involved.

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This seems to WFM as of m-c rev 93b37aa497c4. autoBisect was unable to figure out the fix, so let's just resolve this years' old bug and file new ones for future ones going forward.