Closed Bug 1417961 Opened 8 years ago Closed 8 years ago

Crash [@ ??] with Debugger

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla59
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- unaffected
firefox58 + fixed
firefox59 + fixed

People

(Reporter: decoder, Assigned: jandem)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

Patch
3.73 KB, patch
tcampbell
: review+
gchang
: approval-mozilla-beta+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision fc194660762d+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager): var evalInFrame = (function (global) { var dbgGlobal = newGlobal(); var dbg = new dbgGlobal.Debugger(); return function evalInFrame(upCount, code) { dbg.addDebuggee(global); var frame = dbg.getNewestFrame().older; for (var i = 0; i < upCount; i++) frame = frame.older; var completion = frame.eval(code); if (completion.throw) throw v; }; })(this); try { function f() { var x = x; for (var i = 0; i < 10; - i) g(100 * i + x); } function h() { var z = 5; evalInFrame(0, "a.push(z)"); evalInFrame(1, "a.push(y)"); } function g() { var y = 4; h(); } f(); } catch (exc) {} eval(` var a = [1,2,3,4]; function f() { var x = x; for (var i = 0; i < 10; -i) g(100 * i + x); } f(); `); Backtrace: received signal SIGSEGV, Segmentation fault. 0x00000b9136c45d13 in ?? () #0 0x00000b9136c45d13 in ?? () #1 0x00000b9136c9391a in ?? () #2 0xfff9000000000000 in ?? () #3 0xfffe7ffff44aca40 in ?? () #4 0xfff8800000000004 in ?? () #5 0x0000000000000000 in ?? () rax 0x1 1 rbx 0xfff9000000000000 -1970324836974592 rcx 0xfff9000000000000 -1970324836974592 rdx 0x7fffffffa8e8 140737488333032 rsi 0x1 1 rdi 0x0 0 rbp 0x7fffffffa6e8 140737488332520 rsp 0x7fffffffa698 140737488332440 r8 0x0 0 r9 0x1 1 r10 0x7ffff5f20800 140737319667712 r11 0x20 32 r12 0x8 8 r13 0x7fffffffb500 140737488336128 r14 0x2043 8259 r15 0x7fffffffa8b0 140737488332976 rip 0xb9136c45d13 12718317002003 => 0xb9136c45d13: mov 0x20(%rdi),%rdi 0xb9136c45d17: jmpq *(%rdi)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/21fe8fa6b8e6 user: Jan de Mooij date: Mon Nov 06 14:10:23 2017 +0100 summary: Bug 1414228 - Allocate type monitor fallback stubs lazily instead of allocating them in BaselineCompiler. r=tcampbell This iteration took 290.279 seconds to run.
Flags: needinfo?(jdemooij)
Priority: -- → P1
Attached patch PatchSplinter Review
Debug mode OSR bug related to Ion bailouts. We hit the oldStub->isFallback() code here: https://searchfox.org/mozilla-central/rev/c633ffa4c4611f202ca11270dcddb7b29edddff8/js/src/jit/BaselineDebugModeOSR.cpp#735-742 And in this case we didn't ensure we had a type monitor fallback stub. Then we could crash in the bailout return code here: https://searchfox.org/mozilla-central/rev/c633ffa4c4611f202ca11270dcddb7b29edddff8/js/src/jit/BaselineIC.cpp#3009-3041 This patch just moves the getFallbackMonitorStub call before the isFallback check.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8930056 - Flags: review?(tcampbell)
Debug mode only but there's an easy fix so we should just backport this.
status-firefox57: --- → unaffected
status-firefox59: --- → affected
status-firefox-esr52: --- → unaffected
tracking-firefox58: --- → ?
tracking-firefox59: --- → ?
Comment on attachment 8930056 [details] [diff] [review] Patch Review of attachment 8930056 [details] [diff] [review]: ----------------------------------------------------------------- Ah, interesting. Thanks fuzzers.
Attachment #8930056 - Flags: review?(tcampbell) → review+
Tracking this to make sure it lands and we uplift the fix.
tracking-firefox58: ?+
tracking-firefox59: ?+
Jan, is there anything blocking from landing the patch?
Flags: needinfo?(jdemooij)
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/6f2097108539 Fix Baseline debug mode OSR to delazify type monitor chains correctly. r=tcampbell
Comment on attachment 8930056 [details] [diff] [review] Patch Approval Request Comment [Feature/Bug causing the regression]: Bug 1414228. [User impact if declined]: Crashes when using debugger. [Is this code covered by automated tests?]: Yes. [Has the fix been verified in Nightly?]: Not yet. [Needs manual test from QE? If yes, steps to reproduce]: No. [List of other uplifts needed for the feature/fix]: None. [Is the change risky?]: No. [Why is the change risky/not risky?]: Just moves some code; only affects the debugger. [String changes made/needed]: None.
Flags: needinfo?(jdemooij)
Attachment #8930056 - Flags: approval-mozilla-beta?
https://hg.mozilla.org/mozilla-central/rev/6f2097108539
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox59: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Comment on attachment 8930056 [details] [diff] [review] Patch Fix a crash when using the debugger. Beta58+.
Attachment #8930056 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: