Closed Bug 1586762 Opened 5 years ago Closed 5 years ago

Crash [@ ??] with Debugger

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- wontfix
firefox71 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

Bug 1586762 - Set BaselineFrame::interpreterICEntry correctly for BaselineDebugModeOSR at debug prologue. r?iain!
(deleted), text/x-phabricator-request
Details

The following testcase crashes on mozilla-central revision 4a20e73bd624 (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

setJitCompilerOption("baseline.warmup.trigger", 0);
var g81 = newGlobal({
    newCompartment: true
});
var dbg = new Debugger;
dbg.addDebuggee(g81);
g81.eval("" + function f41() {});
dbg.onEnterFrame = function(f41) {
    dbg.removeDebuggee(g81);
}
g81.f41();

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00003fa8c55b221f in ?? ()
#0  0x00003fa8c55b221f in ?? ()
#1  0x00001f98159d30a0 in ?? ()
#2  0x00007ffff477eea1 in ?? ()
#3  0x0000000000000000 in ?? ()
rax	0x1f98159d30a0	34738058113184
rbx	0x0	0
rcx	0xfffe1f98159bc070	-528211895402384
rdx	0x0	0
rsi	0x8	8
rdi	0x0	0
rbp	0x7fffffffbbf8	140737488337912
rsp	0x7fffffffbbb8	140737488337848
r8	0x0	0
r9	0x7ffff5f41108	140737319801096
r10	0x1b	27
r11	0x246	582
r12	0x8	8
r13	0x7fffffffc4d8	140737488340184
r14	0x7ffff477eea1	140737294888609
r15	0x7fffffffbcf0	140737488338160
rip	0x3fa8c55b221f	69994098139679
=> 0x3fa8c55b221f:	mov    (%rdi),%rdi
   0x3fa8c55b2222:	callq  *(%rdi)
Priority: -- → P1

Nicolas, you set it to P1, do you intend to have it fixed in 71? Thanks

Flags: needinfo?(nicolas.b.pierron)

(In reply to Pascal Chevrel:pascalc from comment #1)

Nicolas, you set it to P1, do you intend to have it fixed in 71? Thanks

Yes, I forgot to needinfo someone to address this issue.

Flags: needinfo?(nicolas.b.pierron) → needinfo?(jdemooij)

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/49a2da59aa3e
user: Jan de Mooij
date: Fri Jul 19 09:01:45 2019 +0000
summary: Bug 1566330 - Let BaselineDebugModeOSR resume in the interpreter, remove BaselineDebugModeOSRInfo. r=iain

Jan, is bug 1566330 a likely regressor?

Regressed by: 1566330
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

We were using the first pc, but that skips the prologue's type monitor ICs.

This bug is pretty hard to trigger in practice (I was unable to write a test
that doesn't use setJitCompilerOption) because usually we switch immediately
from Baseline Interpreter to Baseline JIT code after returning from the
DebugPrologue call and don't use the (invalid) interpreterICEntry value.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8c9daa76d87a Set BaselineFrame::interpreterICEntry correctly for BaselineDebugModeOSR at debug prologue. r=iain

https://hg.mozilla.org/mozilla-central/rev/8c9daa76d87a

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox71: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: