Closed
Bug 944554
Opened 11 years ago
Closed 6 years ago
Crash in JSC::X86Assembler::setRel32()
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: hub, Unassigned)
References
Details
(Keywords: crash)
Crash Data
I was closing a tab from github and got this crash.
Program received signal SIGSEGV, Segmentation fault.
PatchJump (label=..., jump=...) at /home/hub/source/mozilla/src/js/src/jit/x64/Assembler-x64.h:684
684 JSC::X86Assembler::setRel32(jump.raw(), label.raw());
(gdb) where
#0 PatchJump (label=..., jump=...) at /home/hub/source/mozilla/src/js/src/jit/x64/Assembler-x64.h:684
#1 js::jit::JitRuntime::patchIonBackedges (this=<optimized out>, rt=<optimized out>, target=target@entry=js::jit::JitRuntime::BackedgeLoopHeader)
at /home/hub/source/mozilla/src/js/src/jit/Ion.cpp:425
#2 0x00007ffff4c3bdbe in InterruptCheck (cx=0x7fffd1805cd0) at /home/hub/source/mozilla/src/js/src/jit/VMFunctions.cpp:491
#3 js::jit::CheckOverRecursedWithExtra (cx=0x7fffd1805cd0, frame=<optimized out>, extra=<optimized out>, earlyCheck=<optimized out>)
at /home/hub/source/mozilla/src/js/src/jit/VMFunctions.cpp:164
#4 0x00007fffe8c7ab02 in ?? ()
#5 0x00007fffe8aefd80 in ?? ()
#6 0x00007ffffffebc88 in ?? ()
#7 0x00007ffffffebc98 in ?? ()
#8 0x00007ffff6c568a0 in DebugPrologueInfo () from /home/hub/source/mozilla/src/obj-x86_64-unknown-linux-gnu/dist/bin/libxul.so
#9 0x00007fffcdd1b5b0 in ?? ()
#10 0x00007fffdb79e225 in ?? ()
#11 0x0000000000000701 in ?? ()
#12 0x00007ffffffebcc8 in ?? ()
#13 0x0000000000000000 in ?? ()
I have m-i @ changeset: 157993:2ca245caad6d
+ the patch for bug 942421
Linux, F19, gcc 4.8.2, x86_64
|
Reporter | |
Comment 1•11 years ago
|
||
I haven't been able to reproduce yet, btw.
|
|
Reporter | |
Comment 2•11 years ago
|
||
I was away from the computer and it crashed with the exact same stack trace. So it is reproducible, but I don't have the STR.
possible duplicate of bug 934639
maybe relevant? not in PatchJump though #0 0x00007ffff5b7c0d3 in js::jit::IonRuntime::patchIonBackedges(JSRuntime*, js::jit::IonRuntime::BackedgeTarget) () from /usr/lib64/firefox/libxul.so #1 0x00007ffff5c3fd86 in js::jit::CheckOverRecursedWithExtra(JSContext*, unsigned int) () from /usr/lib64/firefox/libxul.so #2 0x00007ffff0d735bc in ?? () #3 0xfffbffffe41a04f0 in ?? () #4 0x00007ffffff0bf28 in ?? () #5 0x0000000000000000 in ?? ()
|
||
Comment 5•10 years ago
|
||
(In reply to Alex Xu from comment #4) > maybe relevant? not in PatchJump though > > #0 0x00007ffff5b7c0d3 in js::jit::IonRuntime::patchIonBackedges(JSRuntime*, > js::jit::IonRuntime::BackedgeTarget) () from /usr/lib64/firefox/libxul.so [...] I'm seeing what looks like a very similar crash: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff45a6565 in js::jit::JitRuntime::patchIonBackedges(JSRuntime*, js::jit::JitRuntime::BackedgeTarget) () from /usr/lib64/firefox/libxul.so (gdb) bt #0 0x00007ffff45a6565 in js::jit::JitRuntime::patchIonBackedges(JSRuntime*, js::jit::JitRuntime::BackedgeTarget) () from /usr/lib64/firefox/libxul.so #1 0x00007ffff468432e in js::jit::CheckOverRecursedWithExtra(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned int) () from /usr/lib64/firefox/libxul.so #2 0x00007fffde3042ca in ?? () #3 0x000000000000038f in ?? () #4 0x00007ffffffd7cd0 in ?? () #5 0x00007ffff6928800 in ?? () from /usr/lib64/firefox/libxul.so #6 0x00007fffca59c790 in ?? () #7 0x00007fffdb340065 in ?? () #8 0x0000000000000681 in ?? () #9 0x00007ffffffd7d10 in ?? () #10 0x0000000000000000 in ?? () Ironically the thing that triggers it is a local BugZilla deployment and sometimes (rarely) Twitter. Perhaps I should open a new bug?
I'm seeing both PatchJump and patchIonBackedges on firefox-31.0-2.fc19.x86_64.
Program received signal SIGSEGV, Segmentation fault.
PatchJump (label=..., jump=...) at /usr/src/debug/firefox-31.0/mozilla-release/js/src/jit/x64/Assembler-x64.h:716
716 JSC::X86Assembler::setRel32(jump.raw(), label.raw());
---Type <return> to continue, or q <return> to quit---
Thread 1 (Thread 0x7ffff7fb5740 (LWP 18779)):
#0 PatchJump (label=..., jump=...) at /usr/src/debug/firefox-31.0/mozilla-release/js/src/jit/x64/Assembler-x64.h:716
No locals.
#1 js::jit::JitRuntime::patchIonBackedges (this=<optimized out>, rt=<optimized out>,
target=target@entry=js::jit::JitRuntime::BackedgeLoopHeader)
at /usr/src/debug/firefox-31.0/mozilla-release/js/src/jit/Ion.cpp:412
iter = {iter = 0x7fffd3410da8}
#2 0x00007ffff612ff80 in InterruptCheck (cx=0x7fffdca14a80)
at /usr/src/debug/firefox-31.0/mozilla-release/js/src/jit/VMFunctions.cpp:523
No locals.
#3 js::jit::CheckOverRecursedWithExtra (cx=0x7fffdca14a80, frame=<optimized out>, extra=<optimized out>,
earlyCheck=<optimized out>) at /usr/src/debug/firefox-31.0/mozilla-release/js/src/jit/VMFunctions.cpp:177
spDummy = 32 ' '
checkSp = 0x7fffffff0a10 " \335ݽ\377\177"
|
||
Comment 7•8 years ago
|
||
Only 12 crashes this year, and none are newer than version 31 https://crash-stats.mozilla.com/search/?signature=~JSC%3A%3AX86Assembler%3A%3AsetRel32&date=%3E2016-01-01&_sort=-date&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports
|
||
Comment 8•6 years ago
|
||
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
|
|
||
Comment 9•6 years ago
|
||
Closing because no crash reported since 12 weeks.
You need to log in
before you can comment on or make changes to this bug.
Description
•