Closed
Bug 1692833
Opened 4 years ago
Closed 4 years ago
Crash [@ js::jit::RInstructionResults::operator[]] with Debugger
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
RESOLVED
FIXED
87 Branch
People
(Reporter: decoder, Assigned: iain)
References
(Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisect,confirmed])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20210214-0abd3454600d (debug build, run with --fuzzing-safe --ion-offthread-compile=off --more-compartments):
g13 = newGlobal()
g13.parent = this;
g13.eval("(" + function() {
Debugger(parent).onExceptionUnwind = function(frame) {
frame.older;
}
} + ")()");
function v22() {
try { v22() } catch {
v31[arguments]
}
}
v22();
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555557952474 in js::jit::RInstructionResults::operator[](unsigned long) ()
#1 0x00005555579533bc in js::jit::SnapshotIterator::fromInstructionResult(unsigned int) const ()
#2 0x0000555557952bd4 in js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod) ()
#3 0x0000555556ce7ca9 in js::jit::SnapshotIterator::read() ()
#4 0x0000555557a4b468 in void js::jit::SnapshotIterator::readFunctionFrameArgs<CopyValueToRematerializedFrame>(CopyValueToRematerializedFrame&, js::ArgumentsObject**, JS::Value*, unsigned int, unsigned int, JSScript*, js::jit::MaybeReadFallback&) ()
#5 0x0000555557a3e409 in void js::jit::InlineFrameIterator::readFrameArgsAndLocals<CopyValueToRematerializedFrame, CopyValueToRematerializedFrame>(JSContext*, CopyValueToRematerializedFrame&, CopyValueToRematerializedFrame&, JSObject**, bool*, JS::Value*, js::ArgumentsObject**, JS::Value*, JS::Value*, js::jit::ReadFrameArgsBehavior, js::jit::MaybeReadFallback&) const ()
#6 0x0000555557a3e06d in js::jit::RematerializedFrame::RematerializedFrame(JSContext*, unsigned char*, unsigned int, js::jit::InlineFrameIterator&, js::jit::MaybeReadFallback&) ()
#7 0x0000555557a3eb51 in js::jit::RematerializedFrame::New(JSContext*, unsigned char*, js::jit::InlineFrameIterator&, js::jit::MaybeReadFallback&) ()
#8 0x0000555557a3ee48 in js::jit::RematerializedFrame::RematerializeInlineFrames(JSContext*, unsigned char*, js::jit::InlineFrameIterator&, js::jit::MaybeReadFallback&, JS::GCVector<mozilla::UniquePtr<js::jit::RematerializedFrame, JS::DeletePolicy<js::jit::RematerializedFrame> >, 0ul, js::TempAllocPolicy>&) ()
#9 0x0000555556edeba8 in js::jit::JitActivation::getRematerializedFrame(JSContext*, js::jit::JSJitFrameIter const&, unsigned long) ()
#10 0x0000555556d83957 in js::FrameIter::ensureHasRematerializedFrame(JSContext*) ()
#11 0x00005555571e752d in js::DebuggerFrame::getOlder(JSContext*, JS::Handle<js::DebuggerFrame*>, JS::MutableHandle<js::DebuggerFrame*>) ()
#12 0x00005555571ed4f7 in js::DebuggerFrame::CallData::olderGetter() ()
#13 0x00005555571f1b74 in bool js::DebuggerFrame::CallData::ToNative<&js::DebuggerFrame::CallData::olderGetter>(JSContext*, unsigned int, JS::Value*) ()
#14 0x0000555556b87122 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#15 0x0000555556b86864 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#16 0x0000555556b87c61 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#17 0x0000555556b87e80 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#18 0x0000555556b88e5d in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#19 0x0000555556ef3226 in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#20 0x0000555556ef3ef1 in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#21 0x0000555556a51893 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) ()
#22 0x0000555556b8c7a7 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) ()
#23 0x0000555556b78b56 in Interpret(JSContext*, js::RunState&) ()
#24 0x0000555556b72108 in js::RunScript(JSContext*, js::RunState&) ()
#25 0x0000555556b86885 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#26 0x0000555556b87c61 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#27 0x0000555556b87e80 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#28 0x0000555556c4cd3e in js::Call(JSContext*, JS::Handle<JS::Value>, JSObject*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#29 0x00005555571adeb9 in js::Debugger::fireExceptionUnwind(JSContext*, JS::Handle<JS::Value>, js::ResumeMode&, JS::MutableHandle<JS::Value>) ()
#30 0x00005555571a8ed2 in js::DebugAPI::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr) ()
#31 0x000055555794d717 in js::jit::HandleException(js::jit::ResumeFromException*) ()
#32 0x0000172f7aa884a6 in ?? ()
#33 0x0000000000000008 in ?? ()
#34 0x00007fffffe00918 in ?? ()
#35 0x00007ffff4a03844 in ?? ()
#36 0x0000000000000000 in ?? ()
rax 0x555557f806c8 93825036453576
rbx 0x7fffffdfe350 140737486250832
rcx 0x555557fa0c10 93825036586000
rdx 0x1 1
rsi 0x0 0
rdi 0x0 0
rbp 0x7fffffdfddc0 140737486249408
rsp 0x7fffffdfddc0 140737486249408
r8 0x0 0
r9 0x0 0
r10 0x7ffff4dfd28b 140737301697163
r11 0x246 582
r12 0xfff9800000000000 -1829587348619264
r13 0x7ffff4dea470 140737301619824
r14 0x0 0
r15 0x7fffffdfde38 140737486249528
rip 0x555557952474 <js::jit::RInstructionResults::operator[](unsigned long)+4>
=> 0x555557952474 <_ZN2js3jit19RInstructionResultsixEm+4>: mov (%rdi),%rcx
0x555557952477 <_ZN2js3jit19RInstructionResultsixEm+7>: test %rcx,%rcx
|
Reporter | |
Comment 1•4 years ago
|
||
|
||
Comment 2•4 years ago
|
||
Based on recent changes with the Arguments recovery, could this be related?
Flags: needinfo?(iireland)
|
||
Comment 3•4 years ago
|
||
Bugmon Analysis:
Unable to reproduce bug using the following builds:
mozilla-central 20210215093120-ffed7ebd405a
mozilla-central 20210214213026-0abd3454600d
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect,confirmed]
|
Assignee | |
Comment 4•4 years ago
|
||
I couldn't get the fuzzbug to replicate locally, but based on the backtrace I eventually managed to get a similar failure using --scalar-replace-arguments.
|
||
Updated•4 years ago
|
Assignee: nobody → iireland
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•4 years ago
|
Flags: needinfo?(iireland)
|
|
||
Updated•4 years ago
|
Severity: -- → S3
Priority: -- → P1
Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d388f3defae8
Read argsObj fallibly r=nbp
|
||
Comment 6•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch
|
||
Updated•4 years ago
|
|
||
Comment 7•3 years ago
|
||
:iain, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(iireland)
You need to log in
before you can comment on or make changes to this bug.
Description
•