Closed
Bug 1602392
Opened 5 years ago
Closed 5 years ago
Crash [@ js::jit::MachineState::read] or Crash [@ js::jit::SnapshotIterator::allocationValue] with Debugger
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla73
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox71 | --- | unaffected |
| firefox72 | --- | unaffected |
| firefox73 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file, 1 obsolete file)
The following testcase crashes on mozilla-central revision 053b0bb00fed (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --without-intl-api --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-warmup-threshold=0 --baseline-eager):
var g53 = newGlobal({ newCompartment: true });
g53.parent = this;
g53.eval("new Debugger(parent).onExceptionUnwind = function () {};");
function* wrapNoThrow() {
for (const i16 of iter) yield i16;
}
for (var i16 of [1, 2, 3]) {
for (var j39 of [4, 5, 6]) {
for (const i16 of wrapNoThrow()) break;
}
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555566c4a31 in js::jit::MachineState::read (this=<optimized out>, reg=...) at js/src/jit/Registers.h:261
#1 js::jit::SnapshotIterator::fromRegister (this=<optimized out>, reg=...) at js/src/jit/JSJitFrameIter.h:426
#2 js::jit::SnapshotIterator::allocationValue (this=0x7fffffffb0b0, alloc=..., rm=js::jit::SnapshotIterator::RM_Normal) at js/src/jit/JitFrames.cpp:1638
#3 0x00005555569d570b in js::jit::SnapshotIterator::read (this=<optimized out>) at js/src/jit/JSJitFrameIter.h:536
#4 InitFromBailout (cx=0x7ffff5f24000, frameNo=140737319684728, fun=..., script=..., iter=..., invalidate=true, builder=..., startFrameFormals=..., nextCallee=..., excInfo=0x7fffffffb9f0) at js/src/jit/BaselineBailouts.cpp:1034
#5 0x00005555569d23c0 in js::jit::BailoutIonToBaseline (cx=0x6, activation=<optimized out>, iter=..., invalidate=true, bailoutInfo=0x7fffffffb1a0, excInfo=0x7fffffffb9f0) at js/src/jit/BaselineBailouts.cpp:1632
#6 0x00005555569d37cc in js::jit::ExceptionHandlerBailout (cx=0x7ffff5f24000, frame=..., rfe=0x7fffffffbae8, excInfo=...) at js/src/jit/Bailouts.cpp:223
#7 0x00005555566c021a in js::jit::HandleExceptionIon (cx=<optimized out>, rfe=<optimized out>, frame=..., hitBailoutException=<optimized out>) at js/src/jit/JitFrames.cpp:187
#8 js::jit::HandleException (rfe=<optimized out>) at js/src/jit/JitFrames.cpp:647
#9 0x00000389f04dd336 in ?? ()
[...]
#23 0x0000000000000000 in ?? ()
rax 0x101 257
rbx 0x1 1
rcx 0x7fffffffb228 140737488335400
rdx 0x1 1
rsi 0x7fffffffae50 140737488334416
rdi 0x6 6
rbp 0x7fffffffad10 140737488334096
rsp 0x7ffffffface0 140737488334048
r8 0x7ffff5fb2e8c 140737320267404
r9 0xfffe0d91bd100bb8 -548030360056904
r10 0x7ffff4cd0400 140737300464640
r11 0x20 32
r12 0xfff9800000000000 -1829587348619264
r13 0x7fffffffb0b0 140737488335024
r14 0x7fffffffb0b0 140737488335024
r15 0x7fffffffae50 140737488334416
rip 0x5555566c4a31 <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+433>
=> 0x5555566c4a31 <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+433>: mov (%rax),%r12
0x5555566c4a34 <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+436>: mov %fs:0x28,%rax
|
||
Comment 1•5 years ago
|
||
Jan, could this be related to source note and iterator handling in loops?
Flags: needinfo?(jdemooij)
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/0d4e8d749b8d
user: Jan de Mooij
date: Fri Dec 06 11:16:08 2019 +0000
summary: Bug 1601897 part 3 - Improve and simplify HasLiveStackValueAtDepth. r=arai
Jan, is bug 1601897 a likely regressor?
Regressed by: 1601897
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
||
Updated•5 years ago
|
Has Regression Range: --- → yes
|
Assignee | |
Comment 3•5 years ago
|
||
This can happen in some debugger bailout edge cases.
|
||
Updated•5 years ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•5 years ago
|
Flags: needinfo?(jdemooij)
|
||
Updated•5 years ago
|
Priority: -- → P1
|
|
||
Updated•5 years ago
|
Attachment #9116358 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 4•5 years ago
|
||
This fixes a bug with HasLiveStackValueAtDepth because now all stack values that
are part of the loop (2 values instead of 3 values) are loop-invariant.
The patch also simplifies the loop condition code a bit.
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/19f956b37c6c
Change for-of bytecode to not have an extra value on the stack across the loop edge. r=arai
|
||
Comment 6•5 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla73
|
||
Updated•5 years ago
|
status-firefox71:
--- → unaffected
status-firefox72:
--- → unaffected
status-firefox-esr68:
--- → unaffected
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•