all firefox tabs crash when using the profiler

[z-erica]

to reproduce, click "Start Recording" in the firefox profiler tool. seems like the stack ends up misaligned somewhere in the call chain. notice rbp is 0x00007fff6f31f6e8, and the faulting instruction is movaps %xmm0, -0x20(%rbp), which requires 16 bit alignment

* thread #1, name = 'Isolated Web Co', stop reason = signal SIGSEGV: invalid address
  * frame #0: 0x00007110c7bf692f ld-musl-x86_64.so.1`syscall(n=186) at syscall.c:10:10
    frame #1: 0x00007110c7a3bfba libc++abi.so.1`::__cxa_guard_acquire() [inlined] PlatformThreadID at cxa_guard_impl.h:167:32
    frame #2: 0x00007110c7a3bfae libc++abi.so.1`::__cxa_guard_acquire() [inlined] get at cxa_guard_impl.h:124:15
    frame #3: 0x00007110c7a3bfac libc++abi.so.1`::__cxa_guard_acquire() [inlined] acquire at cxa_guard_impl.h:344:46
    frame #4: 0x00007110c7a3bf29 libc++abi.so.1`::__cxa_guard_acquire() [inlined] cxa_guard_acquire at cxa_guard_impl.h:590:43
    frame #5: 0x00007110c7a3bf1a libc++abi.so.1`::__cxa_guard_acquire() at cxa_guard.cpp:39:31
    frame #6: 0x00007110c7b635e2 libmozsandbox.so`sigprocmask(how=0, set=<unavailable>, oldset=0x00007fff6f31f8e8) at SandboxHooks.cpp:71:3
    frame #7: 0x00007110bad4ebf3 libxul.so`breakpad_getcontext at breakpad_getcontext.S:476
    frame #8: 0x00007110be4e1bae libxul.so`profiler_capture_backtrace_into(mozilla::ProfileChunkedBuffer&, mozilla::StackCaptureOptions) [inlined] profiler_capture_backtrace_into(mozilla::ProfileChunkedBuffer&, mozilla::StackCaptureOptions)::$_0::operator()(this=<unavailable>, aOnThreadRef=OnThreadRef @ rbx) const at platform.cpp:7692:9
    frame #9: 0x00007110be4e1b7a libxul.so`profiler_capture_backtrace_into(mozilla::ProfileChunkedBuffer&, mozilla::StackCaptureOptions) [inlined] decltype(std::forward<profiler_capture_backtrace_into(mozilla::ProfileChunkedBuffer&, mozilla::StackCaptureOptions)::$_0>(fp)(decltype(std::__declval<profiler_capture_backtrace_into(mozilla::ProfileChunkedBuffer&, mozilla::StackCaptureOptions)::$_0>(0)) std::__1::declval[abi:fn190105]<mozilla::profiler::ThreadRegistration::OnThreadRef>()())) mozilla::profiler::ThreadRegistration::WithOnThreadRefOr<profiler_capture_backtrace_into(mozilla::ProfileChunkedBuffer&, mozilla::StackCaptureOptions)::$_0, bool>(aF=<unavailable>, aFallbackReturn=<unavailable>) at ProfilerThreadRegistration.h:299:16
    frame #10: 0x00007110be4e1b64 libxul.so`profiler_capture_backtrace_into(aChunkedBuffer=<unavailable>, aCaptureOptions=Full) at platform.cpp:7680:10
    frame #11: 0x00007110be4d23cb libxul.so`mozilla::ProfileBufferBlockIndex mozilla::base_profiler_markers_detail::AddMarkerToBuffer<mozilla::baseprofiler::markers::TextMarker, nsTString<char>>(mozilla::ProfileChunkedBuffer&, mozilla::ProfilerStringView<char> const&, mozilla::MarkerCategory const&, mozilla::MarkerOptions&&, bool (*)(mozilla::ProfileChunkedBuffer&, mozilla::StackCaptureOptions), nsTString<char> const&) [inlined] mozilla::ProfileBufferBlockIndex mozilla::base_profiler_markers_detail::AddMarkerToBuffer<mozilla::baseprofiler::markers::TextMarker, nsTString<char>>(this=<unavailable>, aChunkedBuffer=0x0000711096897c00)(mozilla::ProfileChunkedBuffer&, mozilla::StackCaptureOptions), nsTString<char> const&)::'lambda'(mozilla::ProfileChunkedBuffer&)::operator()(mozilla::ProfileChunkedBuffer&) const at BaseProfilerMarkersDetail.h:303:11
    frame #12: 0x00007110be4d23c1 libxul.so`mozilla::ProfileBufferBlockIndex mozilla::base_profiler_markers_detail::AddMarkerToBuffer<mozilla::baseprofiler::markers::TextMarker, nsTString<char>>(aBuffer=0x0000631c341ebdd8, aName=0x00007fff6f31ffa8, aCategory=0x00007fff6f31ff50, aOptions=0x00007fff6f31ff58, aOptionalBacktraceCaptureFunction=(libxul.so`profiler_capture_backtrace_into(mozilla::ProfileChunkedBuffer&, mozilla::StackCaptureOptions) at platform.cpp:7672), aTs=0x00007fff6f31ff98) at BaseProfilerMarkersDetail.h:317:14
    frame #13: 0x00007110be4bc977 libxul.so`mozilla::ProfileBufferBlockIndex AddMarkerToBuffer<mozilla::baseprofiler::markers::TextMarker, nsTString<char>>(aBuffer=0x0000631c341ebdd8, aName=0x00007fff6f31ffa8, aCategory=0x00007fff6f31ff50, aOptions=0x00007fff6f31ff58, aMarkerType=<unavailable>, aPayloadArguments=0x00007fff6f31ff98) at ProfilerMarkers.h:109:10
    frame #14: 0x00007110be4bc88b libxul.so`mozilla::ProfileBufferBlockIndex profiler_add_marker_impl<mozilla::baseprofiler::markers::TextMarker, nsTString<char>>(aName=0x00007fff6f31ffa8, aCategory=0x00007fff6f31ff50, aOptions=0x00007fff6f31ff58, aMarkerType=<unavailable>, aPayloadArguments=0x00007fff6f31ff98) at ProfilerMarkers.h:184:10
    frame #15: 0x00007110ba4d4a9f libxul.so`nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) [inlined] AutoProfilerTextMarker::~AutoProfilerTextMarker(this=0x00007fff6f31ff48) at ProfilerMarkers.h:278:7
    frame #16: 0x00007110ba4d4a90 libxul.so`nsObserverService::NotifyObservers(this=<unavailable>, aSubject=0x00007110aa080210, aTopic=<unavailable>, aSomeData=Summary Unavailable) at nsObserverService.cpp:293:1
    frame #17: 0x00007110be4ddce5 libxul.so`NotifyObservers(aTopic="", aSubject=0x00007110aa080210) at platform.cpp:5535:9
    frame #18: 0x00007110be4fa5c1 libxul.so`mozilla::detail::RunnableFunction<NotifyObservers(char const*, nsISupports*)::$_0>::Run() [inlined] NotifyObservers(char const*, nsISupports*)::$_0::operator()(this=<unavailable>) const at platform.cpp:5530:34
    frame #19: 0x00007110be4fa5b1 libxul.so`mozilla::detail::RunnableFunction<NotifyObservers(char const*, nsISupports*)::$_0>::Run(this=<unavailable>) at nsThreadUtils.h:548:5
    frame #20: 0x00007110ba569fac libxul.so`mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) [inlined] mozilla::RunnableTask::Run(this=0x00007110aa0f00a0) at TaskController.cpp:618:16
    frame #21: 0x00007110ba569f8e libxul.so`mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(this=0x00007110c38e1100, aProofOfLock=<unavailable>) at TaskController.cpp:945:26
    frame #22: 0x00007110ba4c719b libxul.so`NS_ProcessNextEvent(nsIThread*, bool) [inlined] mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(this=0x00007110c38e1100, aProofOfLock=0x00007fff6f320360) at TaskController.cpp:768:15
    frame #23: 0x00007110ba4c7190 libxul.so`NS_ProcessNextEvent(nsIThread*, bool) [inlined] mozilla::TaskController::ProcessPendingMTTask(this=0x00007110c38e1100, aMayWait=false) at TaskController.cpp:554:36
    frame #24: 0x00007110ba4c7184 libxul.so`NS_ProcessNextEvent(nsIThread*, bool) [inlined] mozilla::TaskController::TaskController()::$_0::operator()(this=<unavailable>) const at TaskController.cpp:268:37
    frame #25: 0x00007110ba4c7175 libxul.so`NS_ProcessNextEvent(nsIThread*, bool) [inlined] mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run(this=<unavailable>) at nsThreadUtils.h:548:5
    frame #26: 0x00007110ba4c7175 libxul.so`NS_ProcessNextEvent(nsIThread*, bool) [inlined] nsThread::ProcessNextEvent(this=0x00007110c38e2600, aMayWait=false, aResult=0x00007fff6f3201ed) at nsThread.cpp:1155:16
    frame #27: 0x00007110ba4c6b2f libxul.so`NS_ProcessNextEvent(aThread=0x00007110c38e2600, aMayWait=false) at nsThreadUtils.cpp:480:10
    frame #28: 0x00007110ba567d66 libxul.so`mozilla::ipc::MessagePump::Run(this=0x00007110c38514d0, aDelegate=0x00007fff6f3205a8) at MessagePump.cpp:85:21
    frame #29: 0x00007110ba434641 libxul.so`MessageLoop::Run() [inlined] MessageLoop::RunInternal(this=<unavailable>) at message_loop.cc:369:10
    frame #30: 0x00007110ba434635 libxul.so`MessageLoop::Run() [inlined] MessageLoop::RunHandler(this=<unavailable>) at message_loop.cc:362:3
    frame #31: 0x00007110ba434635 libxul.so`MessageLoop::Run(this=<unavailable>) at message_loop.cc:344:3
    frame #32: 0x00007110ba567c96 libxul.so`nsBaseAppShell::Run(this=0x00007110c3873080) at nsBaseAppShell.cpp:148:27
    frame #33: 0x00007110ba567b2c libxul.so`nsAppShell::Run(this=<unavailable>) at nsAppShell.cpp:469:33
    frame #34: 0x00007110ba567a80 libxul.so`XRE_RunAppShell() at nsEmbedFunctions.cpp:651:20
    frame #35: 0x00007110ba434641 libxul.so`MessageLoop::Run() [inlined] MessageLoop::RunInternal(this=<unavailable>) at message_loop.cc:369:10
    frame #36: 0x00007110ba434635 libxul.so`MessageLoop::Run() [inlined] MessageLoop::RunHandler(this=<unavailable>) at message_loop.cc:362:3
    frame #37: 0x00007110ba434635 libxul.so`MessageLoop::Run(this=<unavailable>) at message_loop.cc:344:3
    frame #38: 0x00007110ba430c8f libxul.so`XRE_InitChildProcess(aArgc=<unavailable>, aArgv=<unavailable>, aChildData=<unavailable>) at nsEmbedFunctions.cpp:586:34
    frame #39: 0x0000631c3419952f firefox`main(argc=<unavailable>, argv=<unavailable>, envp=0x00007fff6f321978) at nsBrowserApp.cpp:398:22
    frame #40: 0x00007110c7bd4c1d ld-musl-x86_64.so.1`libc_start_main_stage2(main=(firefox`main at nsBrowserApp.cpp:282), argc=<unavailable>, argv=0x00007fff6f321848) at __libc_start_main.c:95:7
    frame #41: 0x0000631c341b17b6 firefox`_start + 22

       rax = 0x00000000000000ba
       rbx = 0x00007110c7b76358  libmozsandbox.so`guard variable for sigprocmask::sRealFunc
       rcx = 0x8324554ce1e60082
       rdx = 0x0000000000000000
       rdi = 0x00000000000000ba
       rsi = 0x0000000000000000
       rbp = 0x00007fff6f31f6e8
       rsp = 0x00007fff6f31f618
        r8 = 0x00007fff6f31f968
        r9 = 0x0000000000000000
       r10 = 0x0000000000000000
       r11 = 0x0000000000000246
       r12 = 0x00007110c7a47978  libc++abi.so.1`__cxxabiv1::(anonymous namespace)::GlobalStatic<__cxxabiv1::(anonymous namespace)::LibcppMutex>::instance
       r13 = 0x00007110c7c26800  ld-musl-x86_64.so.1`wmemset at wmemset.c:4
       r14 = 0x0000000000000000
       r15 = 0x00007110c7a47948  libc++abi.so.1`__cxxabiv1::(anonymous namespace)::GlobalStatic<__cxxabiv1::(anonymous namespace)::LibcppCondVar>::instance
       rip = 0x00007110c7bf692f  ld-musl-x86_64.so.1`syscall + 111 at syscall.c:10:10
    rflags = 0x0000000000010246
        cs = 0x0000000000000033
        fs = 0x0000000000000000
        gs = 0x0000000000000000
        ss = 0x000000000000002b
   fs_base = 0x00007110c7cfb2c8  ld-musl-x86_64.so.1`builtin_tls + 136
   gs_base = 0x0000000000000000
        ds = 0x0000000000000000
        es = 0x0000000000000000

ld-musl-x86_64.so.1`syscall:
    0x7110c7bf68c0 <+0>:   pushq  %rbp
    0x7110c7bf68c1 <+1>:   movq   %rsp, %rbp
    0x7110c7bf68c4 <+4>:   subq   $0xd0, %rsp
    0x7110c7bf68cb <+11>:  movl   %eax, %r10d
    0x7110c7bf68ce <+14>:  movq   %rdi, %rax
    0x7110c7bf68d1 <+17>:  movq   %rsi, -0xc8(%rbp)
    0x7110c7bf68d8 <+24>:  movq   %rdx, -0xc0(%rbp)
    0x7110c7bf68df <+31>:  movq   %rcx, -0xb8(%rbp)
    0x7110c7bf68e6 <+38>:  movq   %r8, -0xb0(%rbp)
    0x7110c7bf68ed <+45>:  movq   %r9, -0xa8(%rbp)
    0x7110c7bf68f4 <+52>:  testb  %r10b, %r10b
    0x7110c7bf68f7 <+55>:  je     0x7991f        ; <+95> at syscall.c:9
    0x7110c7bf68f9 <+57>:  movaps %xmm0, -0xa0(%rbp)
    0x7110c7bf6900 <+64>:  movaps %xmm1, -0x90(%rbp)
    0x7110c7bf6907 <+71>:  movaps %xmm2, -0x80(%rbp)
    0x7110c7bf690b <+75>:  movaps %xmm3, -0x70(%rbp)
    0x7110c7bf690f <+79>:  movaps %xmm4, -0x60(%rbp)
    0x7110c7bf6913 <+83>:  movaps %xmm5, -0x50(%rbp)
    0x7110c7bf6917 <+87>:  movaps %xmm6, -0x40(%rbp)
    0x7110c7bf691b <+91>:  movaps %xmm7, -0x30(%rbp)
    0x7110c7bf691f <+95>:  movq   %fs:0x28, %rcx
    0x7110c7bf6928 <+104>: movq   %rcx, -0x8(%rbp)
    0x7110c7bf692c <+108>: xorps  %xmm0, %xmm0
->  0x7110c7bf692f <+111>: movaps %xmm0, -0x20(%rbp)
    0x7110c7bf6933 <+115>: leaq   -0xd0(%rbp), %rcx
    0x7110c7bf693a <+122>: movq   %rcx, -0x10(%rbp)
    0x7110c7bf693e <+126>: movabsq $0x3000000008, %rcx ; imm = 0x3000000008 
    0x7110c7bf6948 <+136>: movq   %rcx, -0x20(%rbp)
    0x7110c7bf694c <+140>: leaq   0x10(%rbp), %rcx
    0x7110c7bf6950 <+144>: movq   %rcx, -0x18(%rbp)
    0x7110c7bf6954 <+148>: movl   $0x8, %ecx
    0x7110c7bf6959 <+153>: cmpq   $0x29, %rcx
    0x7110c7bf695d <+157>: jae    0x799d8        ; <+280> at syscall.c:13:4
    0x7110c7bf695f <+159>: movq   -0x10(%rbp), %rsi
    0x7110c7bf6963 <+163>: leaq   0x8(%rcx), %rdx
    0x7110c7bf6967 <+167>: movl   %edx, -0x20(%rbp)
    0x7110c7bf696a <+170>: movq   (%rsi,%rcx), %rdi
    0x7110c7bf696e <+174>: cmpl   $0x21, %ecx
    0x7110c7bf6971 <+177>: jae    0x799e7        ; <+295> at syscall.c:14:4
    0x7110c7bf6973 <+179>: movq   -0x10(%rbp), %rsi
    0x7110c7bf6977 <+183>: leaq   0x10(%rcx), %r8
    0x7110c7bf697b <+187>: movl   %r8d, -0x20(%rbp)
    0x7110c7bf697f <+191>: movq   (%rsi,%rdx), %rsi
    0x7110c7bf6983 <+195>: cmpl   $0x19, %ecx
    0x7110c7bf6986 <+198>: jae    0x799f6        ; <+310> at syscall.c:15:4
    0x7110c7bf6988 <+200>: movq   -0x10(%rbp), %rdx
    0x7110c7bf698c <+204>: leaq   0x18(%rcx), %r9
    0x7110c7bf6990 <+208>: movl   %r9d, -0x20(%rbp)
    0x7110c7bf6994 <+212>: movq   (%rdx,%r8), %rdx
    0x7110c7bf6998 <+216>: cmpl   $0x11, %ecx
    0x7110c7bf699b <+219>: jae    0x79a05        ; <+325> at syscall.c:16:4
    0x7110c7bf699d <+221>: movq   -0x10(%rbp), %r10
    0x7110c7bf69a1 <+225>: leaq   0x20(%rcx), %r8
    0x7110c7bf69a5 <+229>: movl   %r8d, -0x20(%rbp)
    0x7110c7bf69a9 <+233>: movq   (%r10,%r9), %r10
    0x7110c7bf69ad <+237>: cmpl   $0x29, %r8d
    0x7110c7bf69b1 <+241>: jae    0x79a14        ; <+340> at syscall.c:17:4
    0x7110c7bf69b3 <+243>: movq   -0x10(%rbp), %r11
    0x7110c7bf69b7 <+247>: leal   0x28(%rcx), %r9d
    0x7110c7bf69bb <+251>: movl   %r9d, -0x20(%rbp)
    0x7110c7bf69bf <+255>: movq   (%r11,%r8), %r8
    0x7110c7bf69c3 <+259>: testq  %rcx, %rcx
    0x7110c7bf69c6 <+262>: jne    0x79a23        ; <+355> at syscall.c:18:4
    0x7110c7bf69c8 <+264>: movl   %r9d, %ecx
    0x7110c7bf69cb <+267>: addq   -0x10(%rbp), %rcx
    0x7110c7bf69cf <+271>: movl   $0x30, -0x20(%rbp)
    0x7110c7bf69d6 <+278>: jmp    0x79a2f        ; <+367> at syscall.c:18:4
    0x7110c7bf69d8 <+280>: movq   -0x18(%rbp), %rcx
    0x7110c7bf69dc <+284>: leaq   0x8(%rcx), %rdx
    0x7110c7bf69e0 <+288>: movq   %rdx, -0x18(%rbp)
    0x7110c7bf69e4 <+292>: movq   (%rcx), %rdi
    0x7110c7bf69e7 <+295>: movq   -0x18(%rbp), %rcx
    0x7110c7bf69eb <+299>: leaq   0x8(%rcx), %rdx
    0x7110c7bf69ef <+303>: movq   %rdx, -0x18(%rbp)
    0x7110c7bf69f3 <+307>: movq   (%rcx), %rsi
    0x7110c7bf69f6 <+310>: movq   -0x18(%rbp), %rcx
    0x7110c7bf69fa <+314>: leaq   0x8(%rcx), %rdx
    0x7110c7bf69fe <+318>: movq   %rdx, -0x18(%rbp)
    0x7110c7bf6a02 <+322>: movq   (%rcx), %rdx
    0x7110c7bf6a05 <+325>: movq   -0x18(%rbp), %rcx
    0x7110c7bf6a09 <+329>: leaq   0x8(%rcx), %r8
    0x7110c7bf6a0d <+333>: movq   %r8, -0x18(%rbp)
    0x7110c7bf6a11 <+337>: movq   (%rcx), %r10
    0x7110c7bf6a14 <+340>: movq   -0x18(%rbp), %rcx
    0x7110c7bf6a18 <+344>: leaq   0x8(%rcx), %r8
    0x7110c7bf6a1c <+348>: movq   %r8, -0x18(%rbp)
    0x7110c7bf6a20 <+352>: movq   (%rcx), %r8
    0x7110c7bf6a23 <+355>: movq   -0x18(%rbp), %rcx
    0x7110c7bf6a27 <+359>: leaq   0x8(%rcx), %r9
    0x7110c7bf6a2b <+363>: movq   %r9, -0x18(%rbp)
    0x7110c7bf6a2f <+367>: movq   (%rcx), %r9
    0x7110c7bf6a32 <+370>: syscall 
    0x7110c7bf6a34 <+372>: wait   
    0x7110c7bf6a35 <+373>: movq   %rax, %rdi
    0x7110c7bf6a38 <+376>: callq  0x5b790        ; __syscall_ret at syscall_ret.c:5
    0x7110c7bf6a3d <+381>: movq   %fs:0x28, %rcx
    0x7110c7bf6a46 <+390>: cmpq   -0x8(%rbp), %rcx
    0x7110c7bf6a4a <+394>: jne    0x79a55        ; <+405> at syscall.c
    0x7110c7bf6a4c <+396>: addq   $0xd0, %rsp
    0x7110c7bf6a53 <+403>: popq   %rbp
    0x7110c7bf6a54 <+404>: retq   
    0x7110c7bf6a55 <+405>: callq  0x57d00        ; __stack_chk_fail at __stack_chk_fail.c:25