Crash [@ ??] with Debugger

RESOLVED FIXED in Firefox 58

Status

()

Product:
Core
Component:
JavaScript Engine
Type:
defect
Importance:
P1
critical
Status:
RESOLVED FIXED
Opened:
2 years ago
Updated:
2 years ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks 1 bug, 4 keywords)

Version:
Trunk
Target:
mozilla59
Platform:
x86_64
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox57 unaffected, firefox58+ fixed, firefox59+ fixed)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

Patch
3.73 KB, patch
tcampbell
: review+
gchang
: approval-mozilla-beta+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision fc194660762d+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

var evalInFrame = (function (global) {
  var dbgGlobal = newGlobal();
  var dbg = new dbgGlobal.Debugger();
  return function evalInFrame(upCount, code) {
    dbg.addDebuggee(global);
    var frame = dbg.getNewestFrame().older;
    for (var i = 0; i < upCount; i++)
      frame = frame.older;
    var completion = frame.eval(code);
    if (completion.throw)
      throw v;
  };
})(this);
try {
  function f() {
    var x = x;
    for (var i = 0; i < 10; - i)
      g(100 * i + x);
  }
  function h() {
    var z = 5;
    evalInFrame(0, "a.push(z)");
    evalInFrame(1, "a.push(y)");
  }
  function g() {
    var y = 4;
    h();
  }
  f();
} catch (exc) {}
eval(`
var a = [1,2,3,4];
function f() {
  var x = x;
  for (var i = 0; i < 10; -i)
    g(100 * i + x);
}
f();
`);


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00000b9136c45d13 in ?? ()
#0  0x00000b9136c45d13 in ?? ()
#1  0x00000b9136c9391a in ?? ()
#2  0xfff9000000000000 in ?? ()
#3  0xfffe7ffff44aca40 in ?? ()
#4  0xfff8800000000004 in ?? ()
#5  0x0000000000000000 in ?? ()
rax	0x1	1
rbx	0xfff9000000000000	-1970324836974592
rcx	0xfff9000000000000	-1970324836974592
rdx	0x7fffffffa8e8	140737488333032
rsi	0x1	1
rdi	0x0	0
rbp	0x7fffffffa6e8	140737488332520
rsp	0x7fffffffa698	140737488332440
r8	0x0	0
r9	0x1	1
r10	0x7ffff5f20800	140737319667712
r11	0x20	32
r12	0x8	8
r13	0x7fffffffb500	140737488336128
r14	0x2043	8259
r15	0x7fffffffa8b0	140737488332976
rip	0xb9136c45d13	12718317002003
=> 0xb9136c45d13:	mov    0x20(%rdi),%rdi
   0xb9136c45d17:	jmpq   *(%rdi)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/21fe8fa6b8e6
user:        Jan de Mooij
date:        Mon Nov 06 14:10:23 2017 +0100
summary:     Bug 1414228 - Allocate type monitor fallback stubs lazily instead of allocating them in BaselineCompiler. r=tcampbell

This iteration took 290.279 seconds to run.
Flags: needinfo?(jdemooij)
Priority: -- → P1
Posted patch PatchSplinter Review 
Debug mode OSR bug related to Ion bailouts. We hit the oldStub->isFallback() code here:

https://searchfox.org/mozilla-central/rev/c633ffa4c4611f202ca11270dcddb7b29edddff8/js/src/jit/BaselineDebugModeOSR.cpp#735-742

And in this case we didn't ensure we had a type monitor fallback stub. Then we could crash in the bailout return code here:

https://searchfox.org/mozilla-central/rev/c633ffa4c4611f202ca11270dcddb7b29edddff8/js/src/jit/BaselineIC.cpp#3009-3041

This patch just moves the getFallbackMonitorStub call before the isFallback check.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8930056 - Flags: review?(tcampbell)
Debug mode only but there's an easy fix so we should just backport this.
status-firefox57: --- → unaffected
status-firefox59: --- → affected
status-firefox-esr52: --- → unaffected
tracking-firefox58: --- → ?
tracking-firefox59: --- → ?
Comment on attachment 8930056 [details] [diff] [review]
Patch

Review of attachment 8930056 [details] [diff] [review]:
-----------------------------------------------------------------

Ah, interesting. Thanks fuzzers.
Attachment #8930056 - Flags: review?(tcampbell) → review+
Tracking this to make sure it lands and we uplift the fix.
tracking-firefox58: ?+
tracking-firefox59: ?+
Jan, is there anything blocking from landing the patch?
Flags: needinfo?(jdemooij)
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/6f2097108539
Fix Baseline debug mode OSR to delazify type monitor chains correctly. r=tcampbell
Comment on attachment 8930056 [details] [diff] [review]
Patch

Approval Request Comment
[Feature/Bug causing the regression]: Bug 1414228.
[User impact if declined]: Crashes when using debugger.
[Is this code covered by automated tests?]: Yes.
[Has the fix been verified in Nightly?]: Not yet.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: Just moves some code; only affects the debugger.
[String changes made/needed]: None.
Flags: needinfo?(jdemooij)
Attachment #8930056 - Flags: approval-mozilla-beta?
https://hg.mozilla.org/mozilla-central/rev/6f2097108539
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox59: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Comment on attachment 8930056 [details] [diff] [review]
Patch

Fix a crash when using the debugger. Beta58+.
Attachment #8930056 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.