Closed Bug 1602392 Opened 1 year ago Closed 1 year ago

Crash [@ js::jit::MachineState::read] or Crash [@ js::jit::SnapshotIterator::allocationValue] with Debugger

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla73
Tracking Status
firefox-esr68 --- unaffected
firefox71 --- unaffected
firefox72 --- unaffected
firefox73 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file, 1 obsolete file)

The following testcase crashes on mozilla-central revision 053b0bb00fed (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --without-intl-api --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-warmup-threshold=0 --baseline-eager):

var g53 = newGlobal({ newCompartment: true });
g53.parent = this;
g53.eval("new Debugger(parent).onExceptionUnwind = function () {};");
function* wrapNoThrow() {
  for (const i16 of iter) yield i16;
}
for (var i16 of [1, 2, 3]) {
  for (var j39 of [4, 5, 6]) {
    for (const i16 of wrapNoThrow()) break;
  }
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555566c4a31 in js::jit::MachineState::read (this=<optimized out>, reg=...) at js/src/jit/Registers.h:261
#1  js::jit::SnapshotIterator::fromRegister (this=<optimized out>, reg=...) at js/src/jit/JSJitFrameIter.h:426
#2  js::jit::SnapshotIterator::allocationValue (this=0x7fffffffb0b0, alloc=..., rm=js::jit::SnapshotIterator::RM_Normal) at js/src/jit/JitFrames.cpp:1638
#3  0x00005555569d570b in js::jit::SnapshotIterator::read (this=<optimized out>) at js/src/jit/JSJitFrameIter.h:536
#4  InitFromBailout (cx=0x7ffff5f24000, frameNo=140737319684728, fun=..., script=..., iter=..., invalidate=true, builder=..., startFrameFormals=..., nextCallee=..., excInfo=0x7fffffffb9f0) at js/src/jit/BaselineBailouts.cpp:1034
#5  0x00005555569d23c0 in js::jit::BailoutIonToBaseline (cx=0x6, activation=<optimized out>, iter=..., invalidate=true, bailoutInfo=0x7fffffffb1a0, excInfo=0x7fffffffb9f0) at js/src/jit/BaselineBailouts.cpp:1632
#6  0x00005555569d37cc in js::jit::ExceptionHandlerBailout (cx=0x7ffff5f24000, frame=..., rfe=0x7fffffffbae8, excInfo=...) at js/src/jit/Bailouts.cpp:223
#7  0x00005555566c021a in js::jit::HandleExceptionIon (cx=<optimized out>, rfe=<optimized out>, frame=..., hitBailoutException=<optimized out>) at js/src/jit/JitFrames.cpp:187
#8  js::jit::HandleException (rfe=<optimized out>) at js/src/jit/JitFrames.cpp:647
#9  0x00000389f04dd336 in ?? ()
[...]
#23 0x0000000000000000 in ?? ()
rax	0x101	257
rbx	0x1	1
rcx	0x7fffffffb228	140737488335400
rdx	0x1	1
rsi	0x7fffffffae50	140737488334416
rdi	0x6	6
rbp	0x7fffffffad10	140737488334096
rsp	0x7ffffffface0	140737488334048
r8	0x7ffff5fb2e8c	140737320267404
r9	0xfffe0d91bd100bb8	-548030360056904
r10	0x7ffff4cd0400	140737300464640
r11	0x20	32
r12	0xfff9800000000000	-1829587348619264
r13	0x7fffffffb0b0	140737488335024
r14	0x7fffffffb0b0	140737488335024
r15	0x7fffffffae50	140737488334416
rip	0x5555566c4a31 <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+433>
=> 0x5555566c4a31 <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+433>:	mov    (%rax),%r12
   0x5555566c4a34 <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+436>:	mov    %fs:0x28,%rax

Jan, could this be related to source note and iterator handling in loops?

Flags: needinfo?(jdemooij)

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/0d4e8d749b8d
user: Jan de Mooij
date: Fri Dec 06 11:16:08 2019 +0000
summary: Bug 1601897 part 3 - Improve and simplify HasLiveStackValueAtDepth. r=arai

Jan, is bug 1601897 a likely regressor?

Regressed by: 1601897
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

This can happen in some debugger bailout edge cases.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Priority: -- → P1
Attachment #9116358 - Attachment is obsolete: true

This fixes a bug with HasLiveStackValueAtDepth because now all stack values that
are part of the loop (2 values instead of 3 values) are loop-invariant.

The patch also simplifies the loop condition code a bit.

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/19f956b37c6c
Change for-of bytecode to not have an extra value on the stack across the loop edge. r=arai
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla73
You need to log in before you can comment on or make changes to this bug.