Closed Bug 1452586 Opened 6 years ago Closed 5 years ago

Crash [@ vixl::Simulator::LogRead] with Debugger

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox61 --- fix-optional

People

(Reporter: decoder, Unassigned)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect][arm64:m4])

Crash Data

The following testcase crashes on mozilla-central revision 9cb650de48f9+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize --enable-simulator=arm64, run with --fuzzing-safe):

var g = newGlobal();
g.parent = this;
g.eval("(" + function() {
    var dbg = Debugger(parent);
    dbg.onEnterFrame = function(frame) {
        frame.onStep = function() {}
    }
} + ")()");

function checkMethods(proto) {
    var names = Object.getOwnPropertyNames(proto);
    for (var i = 0; i < names.length; i++) {
        var name = names[i];
        if (name) continue;
        var prop = proto[name];
        if (typeof prop === "function") checkMethod(prop);
    }
}
var builtin_ctors = [
    Object, Function, Array, String, Boolean, Number, Date, RegExp, Error,
];
for (var i = 0; i < builtin_ctors.length; i++) {
    checkMethods(builtin_ctors[i]);
}


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00000000009e3ec4 in vixl::Simulator::LogRead (format=<optimized out>, reg_code=<optimized out>, address=<optimized out>, this=<optimized out>) at js/src/jit/arm64/vixl/Simulator-vixl.h:1203
#0  0x00000000009e3ec4 in vixl::Simulator::LogRead (format=<optimized out>, reg_code=<optimized out>, address=<optimized out>, this=<optimized out>) at js/src/jit/arm64/vixl/Simulator-vixl.h:1203
#1  vixl::Simulator::LoadStorePairHelper (this=0x7ffff5f3b000, instr=0x2c949e7cab7c, addrmode=<optimized out>) at js/src/jit/arm64/vixl/Simulator-vixl.cpp:1233
#2  0x000000000094eb88 in vixl::Decoder::VisitLoadStorePairPostIndex (this=<optimized out>, instr=0x2c949e7cab7c) at js/src/jit/arm64/vixl/Decoder-vixl.cpp:872
#3  0x00000000009d61d5 in vixl::Decoder::Decode (instr=<optimized out>, this=<optimized out>) at js/src/jit/arm64/vixl/Decoder-vixl.h:158
#4  vixl::Simulator::ExecuteInstruction (this=0x7ffff5f3b000) at js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:195
#5  0x00000000009d882c in vixl::Simulator::Run (this=0x7ffff5f3b000) at js/src/jit/arm64/vixl/Simulator-vixl.cpp:70
#6  0x00000000009d669d in vixl::Simulator::RunFrom (first=0x2c949e7ca970, this=0x7ffff5f3b000) at js/src/jit/arm64/vixl/Simulator-vixl.cpp:78
#7  vixl::Simulator::call (this=0x7ffff5f3b000, entry=entry@entry=0x2c949e7ca970 "\376w\277\251\375\003", argument_count=argument_count@entry=8) at js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:326
#8  0x000000000062425e in EnterBaseline (data=..., cx=0x7ffff5f16000) at js/src/jit/BaselineJIT.cpp:151
#9  js::jit::EnterBaselineAtBranch (cx=0x7ffff5f16000, fp=0x7ffff45730b0, pc=<optimized out>) at js/src/jit/BaselineJIT.cpp:226
#10 0x000000000056dc10 in Interpret (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:2037
[...]
#20 0x0000000000442d2d in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9420
rax	0x0	0
rbx	0x7ffff5f3b000	140737319776256
rcx	0x797ff4c1fe90	133590474161808
rdx	0xffffffffffffffff	-1
rsi	0x797ff4c1fe90	133590474161808
rdi	0x7ffff5f3b000	140737319776256
rbp	0x7fffffffcf10	140737488342800
rsp	0x7fffffffceb0	140737488342704
r8	0x0	0
r9	0x0	0
r10	0x1	1
r11	0x0	0
r12	0x8	8
r13	0x2c949e7cab7c	49016825752444
r14	0xa8c15ff8	2831245304
r15	0x80400000	2151677952
rip	0x9e3ec4 <vixl::Simulator::LoadStorePairHelper(vixl::Instruction const*, vixl::AddrMode)+2516>
=> 0x9e3ec4 <vixl::Simulator::LoadStorePairHelper(vixl::Instruction const*, vixl::AddrMode)+2516>:	mov    (%rcx),%rdx
   0x9e3ec7 <vixl::Simulator::LoadStorePairHelper(vixl::Instruction const*, vixl::AddrMode)+2519>:	jmpq   0x9e3b91 <vixl::Simulator::LoadStorePairHelper(vixl::Instruction const*, vixl::AddrMode)+1697>


Another crash in ARM64 simulator with Debugger, possibly related to bug 1445992?
> Another crash in ARM64 simulator with Debugger, possibly related to bug 1445992?

Yeah, we need to make some time available for digging into that.
Blocks: arm64-baseline
Priority: -- → P3
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
This bug is related to ARM64 simulator support, reopening because it has no connection to crash reports.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][arm64:m3]

[arm64:m4] because simulator bugs don't need to block shipping ARM64 Fennec.

Whiteboard: [jsbugmon:update,bisect][arm64:m3] → [jsbugmon:update,bisect][arm64:m4]

I am not able to reproduce this issue on top of the latest mozilla/central.
Decoder, does it reproduce for you?

Flags: needinfo?(choller)

This doesn't reproduce for me anymore either (also not when adding --more-compartments).

Status: REOPENED → RESOLVED
Closed: 6 years ago5 years ago
Flags: needinfo?(choller)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.