723271 - IonMonkey: Segmentation fault running deltablue.js (2)

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Hannes Verschore [:h4writer]]

Minimized V8 deltablue again, because it still segfaults, but now because of something different.

The following testcase fails on --ion -n:

function addConstraint(blaat) {
    return blaat.v1
}

function ScaleConstraint() {
    this.direction = null
    this.v1 = {};
    addConstraint(this);
}

function EqualityConstraint() {
    this.v1 = {};
    addConstraint(this);
}

function deltaBlue() {
    new EqualityConstraint();
    new ScaleConstraint();
}

for (var n = 0; n<100; n++) {
    deltaBlue()
}


The curious part is that the backtrace doesn't point to ionmonkey.
It fails in js::types::TypeScript::Monitor, but called from the interpreter.
Somehow it is related to ionmonkey, because it only fails after ionmonkey has compiled the code.

Backtrace:
(gdb) bt
#0  0x0805cfd6 in js::HeapPtr<js::types::TypeObject, unsigned int>::operator-> (this=0x4) at ../../gc/Barrier.h:229
#1  0x0805a7a8 in JSObject::hasSingletonType (this=0x0) at ../../jsobj.h:845
#2  0x080a39a3 in js::types::Type::ObjectType (obj=0x0) at ../jsinferinlines.h:66
#3  0x080a3a6a in js::types::GetValueType (cx=0x8691710, val=...) at ../jsinferinlines.h:92
#4  0x0811bc01 in js::types::TypeMonitorResult (cx=0x8691710, script=0xf73061c0, pc=0x8699da6 ":", rval=...) at /home/h4writer/Build/ionmonkey/js/src/jsinfer.cpp:5186
#5  0x0814bcb9 in js::types::TypeScript::Monitor (cx=0x8691710, script=0xf73061c0, pc=0x8699da6 ":", rval=...) at ../jsinferinlines.h:575
#6  0x081374af in js::Interpret (cx=0x8691710, entryFrame=0xf7541020, interpMode=js::JSINTERP_NORMAL) at /home/h4writer/Build/ionmonkey/js/src/jsinterp.cpp:1963
#7  0x08132102 in js::RunScript (cx=0x8691710, script=0xf7306388, fp=0xf7541020) at /home/h4writer/Build/ionmonkey/js/src/jsinterp.cpp:483
#8  0x08132bc0 in js::ExecuteKernel (cx=0x8691710, script=0xf7306388, scopeChain=..., thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=0x0, result=0x0)
    at /home/h4writer/Build/ionmonkey/js/src/jsinterp.cpp:686
#9  0x08132deb in js::Execute (cx=0x8691710, script=0xf7306388, scopeChainArg=..., rval=0x0) at /home/h4writer/Build/ionmonkey/js/src/jsinterp.cpp:727
#10 0x08084480 in JS_ExecuteScript (cx=0x8691710, obj=0xf7303040, script=0xf7306388, rval=0x0) at /home/h4writer/Build/ionmonkey/js/src/jsapi.cpp:5313
#11 0x0804c340 in Process (cx=0x8691710, obj=0xf7303040, filename=0xffffd484 "/run/shm/deltablue.js.reduced", forceTTY=false) at /home/h4writer/Build/ionmonkey/js/src/shell/js.cpp:479
#12 0x08057f4c in ProcessArgs (cx=0x8691710, obj=0xf7303040, op=0xffffd194) at /home/h4writer/Build/ionmonkey/js/src/shell/js.cpp:5226
#13 0x080581a0 in Shell (cx=0x8691710, op=0xffffd194, envp=0xffffd2c8) at /home/h4writer/Build/ionmonkey/js/src/shell/js.cpp:5308
#14 0x08058b04 in main (argc=4, argv=0xffffd2b4, envp=0xffffd2c8) at /home/h4writer/Build/ionmonkey/js/src/shell/js.cpp:5546

Probably related and does points to a fault in ionmonkey is the following testcase.
(Is the same as previous, only addConstraint is adjusted)

function addConstraint(blaat) {
    blaat.v1.test
}

function ScaleConstraint() {
    this.direction = null
    this.v1 = {};
    addConstraint(this);
}

function EqualityConstraint() {
    this.v1 = {};
    addConstraint(this);
}

function deltaBlue() {
    new EqualityConstraint();
    new ScaleConstraint();
}

for (var n = 0; n<100; n++) {
    deltaBlue()
}

Backtrace in this case is:
#0  0x0805cfcc in js::HeapPtr<js::Shape, unsigned int>::operator js::Shape* (this=0x0) at ../../gc/Barrier.h:231
#1  0x0805a531 in JSObject::lastProperty (this=0x0) at ../../jsobj.h:521
#2  0x0805c9bb in JSObject::isNative (this=0x0) at ../../jsobjinlines.h:1161
#3  0x0839c5f3 in js::ion::GetPropertyCache (cx=0x8691710, cacheIndex=1, obj=0x0, vp=0xffffc58c) at /home/h4writer/Build/ionmonkey/js/src/ion/IonCaches.cpp:149
#4  0xf72cc43c in ?? ()
#5  0x08376d1d in EnterIon (cx=0x8691710, fp=0xf7541118, target=..., jitcode=0xf72cc628, osr=false) at /home/h4writer/Build/ionmonkey/js/src/ion/Ion.cpp:921
#6  0x08376f16 in js::ion::Cannon (cx=0x8691710, fp=0xf7541118) at /home/h4writer/Build/ionmonkey/js/src/ion/Ion.cpp:949
#7  0x0813e877 in js::Interpret (cx=0x8691710, entryFrame=0xf7541020, interpMode=js::JSINTERP_NORMAL) at /home/h4writer/Build/ionmonkey/js/src/jsinterp.cpp:2868
#8  0x08132102 in js::RunScript (cx=0x8691710, script=0xf7306388, fp=0xf7541020) at /home/h4writer/Build/ionmonkey/js/src/jsinterp.cpp:483
#9  0x08132bc0 in js::ExecuteKernel (cx=0x8691710, script=0xf7306388, scopeChain=..., thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=0x0, result=0x0)
    at /home/h4writer/Build/ionmonkey/js/src/jsinterp.cpp:686
#10 0x08132deb in js::Execute (cx=0x8691710, script=0xf7306388, scopeChainArg=..., rval=0x0) at /home/h4writer/Build/ionmonkey/js/src/jsinterp.cpp:727
#11 0x08084480 in JS_ExecuteScript (cx=0x8691710, obj=0xf7303040, script=0xf7306388, rval=0x0) at /home/h4writer/Build/ionmonkey/js/src/jsapi.cpp:5313
#12 0x0804c340 in Process (cx=0x8691710, obj=0xf7303040, filename=0xffffd484 "/run/shm/deltablue.js.reduced", forceTTY=false) at /home/h4writer/Build/ionmonkey/js/src/shell/js.cpp:479
#13 0x08057f4c in ProcessArgs (cx=0x8691710, obj=0xf7303040, op=0xffffd194) at /home/h4writer/Build/ionmonkey/js/src/shell/js.cpp:5226
#14 0x080581a0 in Shell (cx=0x8691710, op=0xffffd194, envp=0xffffd2c8) at /home/h4writer/Build/ionmonkey/js/src/shell/js.cpp:5308
#15 0x08058b04 in main (argc=4, argv=0xffffd2b4, envp=0xffffd2c8) at /home/h4writer/Build/ionmonkey/js/src/shell/js.cpp:5546

Comment 1

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: fix

Thanks for reducing this! Looks like a typo in ICs, we were rejoining to the wrong location.

(The value being monitored was (Object, NULL) which is illegal, and it happened to be flowing right out of Ion code, which appeared to be overwriting one load with another.)

Comment 2

[David Anderson [:dvander] - inactive, e-mail if emergency]

http://hg.mozilla.org/projects/ionmonkey/rev/1c4fd153d04a