1108145 - Crash [@ js::jit::BaselineScript::anyKindICEntryFromPCOffset]

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

// Randomly chosen test: js/src/jit-test/tests/basic/testIncDecReadOnly.js
Object.defineProperty(this, "x", { value: 0 });
// Randomly chosen test: js/src/jit-test/tests/ion/bug674664-2.js
timeout(0.01);
// Randomly chosen test: js/src/jit-test/tests/debug/onExceptionUnwind-05.js
g = newGlobal();
g.parent = this;
g.eval("Debugger(parent).onExceptionUnwind = function(){};");
// Randomly chosen test: js/src/jit-test/tests/basic/testConstructorArgs-1.js
load("a.js")

and a.js is:

for (var x = 0; x < 2; ++x) {}

crashes js debug shell on m-c changeset 18188c19a3c3 with --no-threads --ion-eager at js::jit::BaselineScript::anyKindICEntryFromPCOffset.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are:

http://hg.mozilla.org/mozilla-central/file/18188c19a3c3/js/src/jit-test/tests/basic/testIncDecReadOnly.js
http://hg.mozilla.org/mozilla-central/file/18188c19a3c3/js/src/jit-test/tests/ion/bug674664-2.js
http://hg.mozilla.org/mozilla-central/file/18188c19a3c3/js/src/jit-test/tests/debug/onExceptionUnwind-05.js
http://hg.mozilla.org/mozilla-central/file/18188c19a3c3/js/src/jit-test/tests/basic/testConstructorArgs-1.js

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/df2462ab460b
user:        Shu-yu Guo
date:        Wed Nov 26 13:35:57 2014 -0800
summary:     Bug 1100337 - Cheat when computing resume address for propagating exception for debug mode in Ion exception handler. (r=jandem)

Shu-yu, is bug 1100337 a likely regressor?

(not using JSBugMon because I cannot seem to take away the call to the load function, so bonus points to anyone who can...)

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x456e1d, 0x0000000100249dfa js-dbg-opt-64-dm-nsprBuild-darwin-18188c19a3c3`js::jit::BaselineScript::anyKindICEntryFromPCOffset(unsigned int) [inlined] js::jit::BaselineScript::icEntry(unsigned long) + 28 at BaselineJIT.cpp:496, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000100249dfa js-dbg-opt-64-dm-nsprBuild-darwin-18188c19a3c3`js::jit::BaselineScript::anyKindICEntryFromPCOffset(unsigned int) [inlined] js::jit::BaselineScript::icEntry(unsigned long) + 28 at BaselineJIT.cpp:496
    frame #1: 0x0000000100249dde js-dbg-opt-64-dm-nsprBuild-darwin-18188c19a3c3`js::jit::BaselineScript::anyKindICEntryFromPCOffset(unsigned int) [inlined] ComputeBinarySearchMid(baseline=<unavailable>) at BaselineJIT.cpp:564
    frame #2: 0x0000000100249dde js-dbg-opt-64-dm-nsprBuild-darwin-18188c19a3c3`js::jit::BaselineScript::anyKindICEntryFromPCOffset(this=<unavailable>, pcOffset=<unavailable>) + 270 at BaselineJIT.cpp:579
    frame #3: 0x00000001001ebbd3 js-dbg-opt-64-dm-nsprBuild-darwin-18188c19a3c3`InitFromBailout(cx=0x0000000101d01cf0, callerPC=<unavailable>, ionScript=<unavailable>, iter=<unavailable>, invalidate=<unavailable>, builder=0x0000000101afaea8, startFrameFormals=<unavailable>, callPC=<unavailable>, excInfo=<unavailable>, poppedLastSPSFrameOut=0x0000000000000002, caller=<unavailable>, fun=<unavailable>, script=<unavailable>, nextCallee=<unavailable>) + 9955 at BaselineBailouts.cpp:1041
    frame #4: 0x00000001001e8e1d js-dbg-opt-64-dm-nsprBuild-darwin-18188c19a3c3`js::jit::BailoutIonToBaseline(cx=0x0000000101d01cf0, activation=<unavailable>, iter=0x00007fff5fbfcf10, invalidate=<unavailable>, bailoutInfo=0x00007fff5fbfcf08, excInfo=0x00007fff5fbfd570, poppedLastSPSFrameOut=<unavailable>) + 1709 at BaselineBailouts.cpp:1507
(lldb)

Comment 2

[Shu-yu Guo [:shu]]

Attachment: Fix timing issue with onExceptionUnwind due to interrupt-generated exceptions at loop heads.

The timing required to have hit this is kind of amazing.

Comment 4

[Shu-yu Guo [:shu]]

Attachment: Fix debug mode in-place Ion->Baseline bailout at loop heads.

v2. Improved the previous fix and added the test case from bug 1108556, which
does not depend on timing.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Assigning to Shu-yu since he has a patch.

Comment 6

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/877e91964ea9

Comment 7

[Jan de Mooij [:jandem]]

Shu, can you please backport those debugger patches if needed? Based on some comments on crash-stats, Aurora is pretty crashy when using the debugger...

Comment 8

[Shu-yu Guo [:shu]]

Filed bug 1114757 and got a rollup patch for a? there.

Comment 9

[Ryan VanderMeulen [:RyanVM]]

Fixed for Fx36 by the roll-up in bug 1114757.

Comment 10

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

// Randomly chosen test: js/src/jit-test/tests/basic/testIncDecReadOnly.js
Object.defineProperty(this, "x", {
    value: 0
});
// Randomly chosen test: js/src/jit-test/tests/ion/bug674664-2.js
timeout(0.01);
// Randomly chosen test: js/src/jit-test/tests/debug/onExceptionUnwind-05.js
g = newGlobal();
g.parent = this;
g.eval("Debugger(parent).onExceptionUnwind = function(){};");
// Randomly chosen test: js/src/jit-test/tests/basic/testConstructorArgs-1.js
evaluate(`
    for (var x = 0; x < 1; ++x) {}
`, {
    compileAndGo: true
})

crashes js debug shell on m-c changeset 18188c19a3c3 with --no-threads --ion-eager at js::jit::BaselineScript::anyKindICEntryFromPCOffset.

(I made the testcase in comment 0 into a standalone one, let's see if jsbugmon can do verification)