1427774 - Crash [@ JS::ProfilingFrameIterator::getPhysicalFrameAndEntry] or Assertion failure: entry, at jit/JitcodeMap.h:1051

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P2)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision ac93fdadf102 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe):

setJitCompilerOption("baseline.warmup.trigger", 0);
enableGeckoProfiling();
enableSingleStepProfiling();
function removeAdd(dbg, g) {
    dbg.removeDebuggee(g);
}
function newGlobalDebuggerPair(toggleSeq) {
    var g = newGlobal();
    var dbg = new Debugger;
    dbg.addDebuggee(g);
    g.eval("" + function f() {});
    return [g, dbg];
}
function testTrap(toggleSeq) {
    var [g, dbg] = newGlobalDebuggerPair(toggleSeq);
    dbg.onEnterFrame = function(f) {
        f.script.setBreakpoint(Symbol.iterator == (this) ^ (this), {
            hit: function() {
                toggleSeq(dbg, g);
            }
        });
    };
    assertEq(g.f(), 100);
}
testTrap(removeAdd);


Backtrace:

received signal SIGSEGV, Segmentation fault.
JS::ProfilingFrameIterator::getPhysicalFrameAndEntry (this=0xffffa1dc, entry=0xffff9ffc) at js/src/vm/Stack.cpp:2015
#0  JS::ProfilingFrameIterator::getPhysicalFrameAndEntry (this=0xffffa1dc, entry=0xffff9ffc) at js/src/vm/Stack.cpp:2015
#1  0x08610148 in JS::ProfilingFrameIterator::extractStack (this=0xffffa1dc, frames=0xffffa20c, offset=0, end=16) at js/src/vm/Stack.cpp:2039
#2  0x08099806 in SingleStepCallback (arg=0xf6e19800, sim=<optimized out>, pc=<optimized out>) at js/src/shell/js.cpp:5458
#3  0x08413eab in js::jit::Simulator::softwareInterrupt (this=0xf6e51000, instr=0xf6e08f04) at js/src/jit/arm/Simulator-arm.cpp:2868
[...]
#10 0x082b4585 in js::jit::MaybeEnterJit (cx=0xf6e19800, state=...) at js/src/jit/Jit.cpp:163
[...]
#16 0x08413d3e in js::jit::Simulator::softwareInterrupt (this=0xf6e51000, instr=0xf6e08f04) at js/src/jit/arm/Simulator-arm.cpp:2672
[...]
#23 0x082b4585 in js::jit::MaybeEnterJit (cx=0xf6e19800, state=...) at js/src/jit/Jit.cpp:163
#24 0x0816629a in js::RunScript (cx=0xf6e19800, state=...) at js/src/vm/Interpreter.cpp:408
#25 0x081667f6 in js::InternalCallOrConstruct (cx=0xf6e19800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:495
#26 0x08166a02 in InternalCall (cx=cx@entry=0xf6e19800, args=...) at js/src/vm/Interpreter.cpp:522
#27 0x08166ae4 in js::Call (cx=0xf6e19800, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:541
#28 0x08572ab4 in CallMethodIfPresent (name=0x880ce2a "hit", argc=1, rval=..., argv=0xffffb228, obj=..., cx=<optimized out>) at js/src/vm/Debugger.cpp:1753
#29 js::Debugger::onTrap (cx=0xf6e19800, vp=...) at js/src/vm/Debugger.cpp:2038
#30 0x0836533b in js::jit::HandleDebugTrap (cx=0xf6e19800, frame=0xf53ffdc8, retAddr=0x2a1e0718 "}0\340", <incomplete sequence \343>, mustReturn=0xf53ffda0) at js/src/jit/VMFunctions.cpp:1103
#31 0x08414156 in js::jit::Simulator::softwareInterrupt (this=0xf6e51000, instr=0xf6e08714) at js/src/jit/arm/Simulator-arm.cpp:2598
[...]
#38 0x082b4585 in js::jit::MaybeEnterJit (cx=0xf6e19800, state=...) at js/src/jit/Jit.cpp:163
#39 0x0816629a in js::RunScript (cx=0xf6e19800, state=...) at js/src/vm/Interpreter.cpp:408
#40 0x081667f6 in js::InternalCallOrConstruct (cx=0xf6e19800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:495
#41 0x08166a02 in InternalCall (cx=cx@entry=0xf6e19800, args=...) at js/src/vm/Interpreter.cpp:522
#42 0x08166ae4 in js::Call (cx=0xf6e19800, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:541
#43 0x084fceb8 in js::ForwardingProxyHandler::call (this=0x8b1b518 <js::CrossCompartmentWrapper::singleton>, cx=0xf6e19800, proxy=..., args=...) at js/src/proxy/Wrapper.cpp:176
#44 0x084f0c2f in js::CrossCompartmentWrapper::call (this=0x8b1b518 <js::CrossCompartmentWrapper::singleton>, cx=0xf6e19800, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:359
#45 0x084ef64d in js::Proxy::call (cx=0xf6e19800, proxy=..., args=...) at js/src/proxy/Proxy.cpp:511
#46 0x084ef70b in js::proxy_Call (cx=0xf6e19800, argc=0, vp=0xf53ffec0) at js/src/proxy/Proxy.cpp:770
#47 0x08166840 in js::CallJSNative (args=..., native=<optimized out>, cx=0xf6e19800) at js/src/jscntxtinlines.h:291
#48 js::InternalCallOrConstruct (cx=0xf6e19800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:455
#49 0x08166a02 in InternalCall (cx=cx@entry=0xf6e19800, args=...) at js/src/vm/Interpreter.cpp:522
#50 0x08166aad in js::CallFromStack (cx=0xf6e19800, args=...) at js/src/vm/Interpreter.cpp:528
#51 0x081f90e2 in js::jit::DoCallFallback (cx=0xf6e19800, frame=0xf53fff00, stub_=0xf4f4e370, argc=0, vp=0xf53ffec0, res=...) at js/src/jit/BaselineIC.cpp:2559
#52 0x08413d3e in js::jit::Simulator::softwareInterrupt (this=0xf6e51000, instr=0xf6e08f04) at js/src/jit/arm/Simulator-arm.cpp:2672
[...]
#58 0x082b099f in EnterJit (cx=0xf6e19800, state=..., code=0x2a1dbe00 "\004\340-\345\006") at js/src/jit/Jit.cpp:101
[...]
#69 main (argc=3, argv=0xffffce04, envp=0xffffce14) at js/src/shell/js.cpp:9141
eax	0x0	0
ebx	0xf6e76080	-152608640
ecx	0x0	0
edx	0xf4f613b0	-185199696
esi	0xffff9ffc	-24580
edi	0xffffa1dc	-24100
ebp	0xffffa034	4294942772
esp	0xffff9f90	4294942608
eip	0x860ff18 <JS::ProfilingFrameIterator::getPhysicalFrameAndEntry(js::jit::JitcodeGlobalEntry*) const+104>
=> 0x860ff18 <JS::ProfilingFrameIterator::getPhysicalFrameAndEntry(js::jit::JitcodeGlobalEntry*) const+104>:	mov    (%eax),%ecx
   0x860ff1a <JS::ProfilingFrameIterator::getPhysicalFrameAndEntry(js::jit::JitcodeGlobalEntry*) const+106>:	add    $0x10,%esp

Comment 1

[Sylvestre Ledru [:Sylvestre]]

Closing because no crash reported since 12 weeks.

Comment 2

[Sylvestre Ledru [:Sylvestre]]

Closing because no crash reported since 12 weeks.

Comment 3

[Christian Holler (:decoder)]

This bug still reproduces on tip, using runtime options --fuzzing-safe --thread-count=2 --disable-oom-functions --ion-extra-checks with 32-bit debug build.

Comment 4

[Christian Holler (:decoder)]

(In reply to Christian Holler (:decoder) from comment #3)
> This bug still reproduces on tip, using runtime options --fuzzing-safe
> --thread-count=2 --disable-oom-functions --ion-extra-checks with 32-bit
> debug build.

Sorry, this was for another bug. But this bug also still reproduces, same options as in comment 0.

Comment 5

[Iain Ireland [:iain]]

Attachment: Bug 1427774: Fix baseline return address more consistently in JSJitProfilingFrameIterator r?djvj

Comment 6

[Iain Ireland [:iain]]

This bug is a variant of bug 1140741.

ProfilingFrameIterator expects the return address of each frame to point inside the function it returns to. In some cases (generator.throw/return, debug-mode OSR) this is not true for baseline frames. When moving to a new baseline frame, we therefore call fixBaselineReturnAddress to detect these cases and work around them. However, fixBaselineReturnAddress was only being called if we were directly moving to a baseline frame. If there was a baseline stub or a rectifier in between, we did not call fixBaselineReturnAddress, even if we we eventually ended up settled on a baseline frame.

This patch adds calls to fixBaselineReturnAddress in the necessary places.

Comment 7

[Pulsebot]

Pushed by kvijayan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c4825f987736
Fix baseline return address more consistently in JSJitProfilingFrameIterator r=djvj

Comment 8

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/c4825f987736