Connecting the remote debugger to a tip Central build of Fennec, selecting the "Main Process", and activating the Debugger tab crashes Fennec: 4414 Gecko I Detected osrelease `3.4.0-gadb2201' 4414 Gecko I JITs are not broken 4414 libc F Fatal signal 11 (SIGSEGV) at 0x75410000 (code=1), thread 4856 (Gecko) A debug build of Fennec logs an assertion: 6860 Gecko I Detected osrelease `3.4.0-gadb2201' 6860 Gecko I JITs are not broken 6860 MOZ_Assert F Assertion failure: returnAddr > method_->raw(), at /Users/myk/Mozilla/gecko-dev/js/src/jit/BaselineJIT.cpp:582 6860 libc F Fatal signal 11 (SIGSEGV) at 0x00000000 (code=1), thread 7108 (Gecko) The crash doesn't happen on a tip Aurora build. cc: mfinkle and dcamp for help triaging into the proper product/component, in case it should be Firefox::Developer Tools, Core::JavaScript Engine:JIT, or the like.

This must have only started recently, since I was just debugging the main process yesterday (but maybe my mozilla-central was a few days old).

I was running into this on Aurora yesterday, and this is bad. jryans, are you aware of this? Who should look into this?

I was not aware of this, but then I haven't tried an Android build recently. I'll see if I can get a better stack locally, and also find someone to dig into this.

Well, I am attempting to get more info here, but for the moment I am blocked by bug 978492 because my local debug build of Fennec crashes whenever I try to visit "about:prefs" to set up remote debugging.

(In reply to J. Ryan Stinnett [:jryans] from comment #4) > Well, I am attempting to get more info here, but for the moment I am blocked > by bug 978492 because my local debug build of Fennec crashes whenever I try > to visit "about:prefs" to set up remote debugging. You should be able to flip the pref in Settings->Developer tools.

I can confirm that SpiderMonkey hits this assertion: Assertion failure: returnAddr > method_->raw(), at js/src/jit/BaselineJIT.cpp:582 Logcat didn't contain a full stack trace and I don't know how to get one.

Margaret are you able to hit this on 29 too?

I was not able to reproduce this on Aurora 29.0a2(2014-03-10) Firefox 29 Beta 4.

2014-02-28 - good 2014-03-01 - bad pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=58eca03214a6&tochange=8abc76dedec2

I can confirm this doesn't affect Fx29 beta.

* jryans: have you had a chance to catch a complete stack trace? * jimb: could this Android remote debugging crash be fallout from introductionScript bug 969786? That bug is one of the few SpiderMonkey-related bugs in comment 9's regression range.

Given the assertion mentioned in comment 6, I would be very surprised if bug 969786 is responsible. A stack trace would be very helpful.

From the assertion alone, I would expect the cause to be JIT-related. There are a number of SpiderMonkey-related bugs in that pushlog. Note that SpiderMonkey has been split into a number of new bugzilla components, like JavaScript: JIT and JavaScript: GC. Did your query catch those?

I attempted once again to capture a stack trace for this, but my debug Fennec builds still segfault when I try to open a tab, and I don't think it's related to this issue... I've filed bug 994859 for that issue, so once I'm unblocked there I'll try again to capture this.

Okay, I finally have a debug build that works! I connected to "Main Process", switched to the "Debugger" tab, and got a segfault on device. Here's the stack trace: #0 0x958631a6 in js::BarrieredPtr<js::jit::JitCode, unsigned int>::operator-> (this=0x0) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/gc/Barrier.h:322 #1 0x958483b8 in js::jit::BaselineScript::prologueEntryAddr (this=0x0) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/jit/BaselineJIT.h:224 #2 0x958baddc in js::jit::IonFrameIterator::baselineScriptAndPc (this=0x6069ec78, scriptRes=0x0, pcRes=0x6069ec5c) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/jit/IonFrames.cpp:229 #3 0x95af247a in js::FrameIter::nextJitFrame (this=0x6069ec48) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Stack.cpp:705 #4 0x95af2122 in js::FrameIter::settleOnActivation (this=0x6069ec48) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Stack.cpp:588 #5 0x95af1f3a in js::FrameIter::popActivation (this=0x6069ec48) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Stack.cpp:519 #6 0x95af1f70 in js::FrameIter::popInterpreterFrame (this=0x6069ec48) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Stack.cpp:530 #7 0x95af2688 in js::FrameIter::operator++ (this=0x6069ec48) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Stack.cpp:769 #8 0x95780480 in js::ScriptFrameIter::operator++ (this=0x6069ec48) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Stack.h:1647 #9 0x957804d0 in js::NonBuiltinScriptFrameIter::operator++ (this=0x6069ec48) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Stack.h:1723 #10 0x95ade2a4 in JS::DescribeStack (cx=0x5ebaa2f0, maxFrames=100) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/OldDebugAPI.cpp:946 #11 0x93e659b6 in mozilla::dom::exceptions::JSStackFrame::CreateStack (aCx=0x5ebaa2f0, aMaxDepth=100) at /Users/jryans/projects/mozilla/gecko-dev-2/dom/bindings/Exceptions.cpp:490 #12 0x93e65b64 in mozilla::dom::exceptions::CreateStack (aCx=0x5ebaa2f0, aMaxDepth=-1) at /Users/jryans/projects/mozilla/gecko-dev-2/dom/bindings/Exceptions.cpp:523 #13 0x93e64cec in mozilla::dom::GetCurrentJSStack () at /Users/jryans/projects/mozilla/gecko-dev-2/dom/bindings/Exceptions.cpp:188 #14 0x940afc72 in mozilla::dom::Exception::Exception (this=0xa5fb4040, aMessage=..., aResult=2147500037, aName=..., aLocation=0x0, aData=0x0) at /Users/jryans/projects/mozilla/gecko-dev-2/dom/base/DOMException.cpp:205 #15 0x93e64bd8 in mozilla::dom::Throw (aCx=0x5ebaa2f0, aRv=2147500037, aMessage=0x95f406f8 "Failure") at /Users/jryans/projects/mozilla/gecko-dev-2/dom/bindings/Exceptions.cpp:152 #16 0x93fb16d8 in XPCThrower::Throw (rv=2147500037, cx=0x5ebaa2f0) at /Users/jryans/projects/mozilla/gecko-dev-2/js/xpconnect/src/XPCThrower.cpp:29 #17 0x93fb16fa in xpc::Throw (cx=0x5ebaa2f0, rv=2147500037) at /Users/jryans/projects/mozilla/gecko-dev-2/js/xpconnect/src/XPCThrower.cpp:37 #18 0x93fa20ee in XPCJSSourceHook::load (this=0x5eb35328, cx=0x5ebaa2f0, filename=0xb8583710 "jar:jar:file:///data/app/org.mozilla.fennec_jryans-2.apk!/assets/omni.ja!/components/nsUrlClassifierLib.js", src=0x6069f044, length=0x6069f040) at /Users/jryans/projects/mozilla/gecko-dev-2/js/xpconnect/src/XPCJSRuntime.cpp:2991 #19 0x95a3d868 in JSScript::loadSource (cx=0x5ebaa2f0, ss=0xb69886d0, worked=0x6069f06b) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/jsscript.cpp:1379 #20 0x95a9639e in DebuggerSource_getText (cx=0x5ebaa2f0, argc=0, vp=0x6069f368) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Debugger.cpp:3882 #21 0x95aa72c2 in CallJSNative (args=..., native=0x95a962ad <DebuggerSource_getText(JSContext*, unsigned int, JS::Value*)>, cx=0x5ebaa2f0) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/jscntxtinlines.h:239 #22 js::Invoke (cx=0x5ebaa2f0, args=..., construct=js::NO_CONSTRUCT) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Interpreter.cpp:476 #23 0x95aa7652 in js::Invoke (cx=0x5ebaa2f0, thisv=..., fval=..., argc=0, argv=0x0, rval=...) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Interpreter.cpp:532 #24 0x95aa7b9e in js::InvokeGetterOrSetter (cx=0x5ebaa2f0, obj=0xa5d536c0, fval=..., argc=0, argv=0x0, rval=...) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Interpreter.cpp:604 #25 0x95a6666c in js::Shape::get (this=0xb4f574c0, cx=0x5ebaa2f0, receiver=..., obj=0xa5d536c0, pobj=0xb4f55900, vp=...) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Shape-inl.h:46 #26 0x95a1367a in NativeGetInline<(js::AllowGC)1> (vp=..., shape=..., pobj=..., receiver=..., obj=..., cx=0x5ebaa2f0) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/jsobj.cpp:4344 #27 GetPropertyHelperInline<(js::AllowGC)1> (vp=..., id=..., receiver=..., obj=..., cx=0x5ebaa2f0) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/jsobj.cpp:4541 #28 js::baseops::GetProperty (cx=0x5ebaa2f0, obj=..., receiver=..., id=..., vp=...) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/jsobj.cpp:4551 #29 0x95707cfa in JSObject::getGeneric (cx=0x5ebaa2f0, obj=..., receiver=..., id=..., vp=...) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/jsobj.h:981 #30 0x95aa67fe in GetPropertyOperation (cx=0x5ebaa2f0, fp=0xa5f075d8, script=..., pc=0xb46505d5 "5", lval=..., vp=...) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Interpreter.cpp:266 #31 0x95ab36e0 in Interpret (cx=0x5ebaa2f0, state=...) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Interpreter.cpp:2414 #32 0x95aa7034 in js::RunScript (cx=0x5ebaa2f0, state=...) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Interpreter.cpp:423 #33 0x95aa73d6 in js::Invoke (cx=0x5ebaa2f0, args=..., construct=js::NO_CONSTRUCT) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Interpreter.cpp:495 #34 0x95aa7652 in js::Invoke (cx=0x5ebaa2f0, thisv=..., fval=..., argc=1, argv=0x606a0d38, rval=...) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/vm/Interpreter.cpp:532 #35 0x958179a8 in js::jit::DoCallFallback (cx=0x5ebaa2f0, frame=0x606a0da8, stub=0xb3cf2650, argc=1, vp=0x606a0d28, res=...) at /Users/jryans/projects/mozilla/gecko-dev-2/js/src/jit/BaselineIC.cpp:8128 #36 0xa6007c00 in ?? () #37 0xa6007c00 in ?? ()

More bisecting points at this commit as the culprit: 508848ad378a Jan de Mooij — Bug 939562 part 3 - Move JIT flags from ContextOptions to RuntimeOptions. r=bent,bholley,luke Jan, any ideas?

(In reply to J. Ryan Stinnett [:jryans] from comment #16) > Jan, any ideas? With bug 939562 we're able to JIT more JS and it likely exposed a pre-existing issue. Does anybody have STR for people not very familiar with b2g? Does this also happen with the emulator? It looks like we have a Baseline frame on the stack, but its script has no BaselineScript. I think I've seen this before related to the debugger but not sure how this can happen, I'll take a look. Shu, since you're working on the debugger, do you have any thoughts on this? Could bug 933882 be related?

(In reply to Jan de Mooij [:jandem] from comment #17) > Does anybody have STR for people not very familiar with b2g? Does this also > happen with the emulator? No longer needed. (And I realized this is Android, not b2g.)

The root cause has been fixed in 31 as part of bug 995607. It will be uplifted to Aurora and Beta.

Verified as fixed on Nightly 31.0a1(2014-04-16). Waiting for the uplift to mark the bug as VERIFIED

Fix uplifted to Aurora and Beta. Note that this particular symptom seems doesn't seem to affect in Beta, but in any case, at least Aurora should be tested.

Verified as fixed on Aurora 30.0a2(2014-04-17) on Alcatel One Touch 8008D(Android 4.1.2).