Closed
Bug 1133143
Opened 11 years ago
Closed 10 years ago
Crash [@ js::jit::AssemblerBufferWithConstantPools] involving oomAfterAllocations
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox38 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
|
12.10 KB,
text/plain
|
Details |
try {
f()
} catch (e) {
+e
}
try {
Function(" \
for (var j = 0; j < 9; ++j) { \
try { \
undefined() \
} catch (e) { \
+e \
} \
} \
oomAfterAllocations(27); \
neuter(x, ""); \
")()
} catch (e) {
+e
}
crashes js debug shell on m-c changeset 81f979b17fbd with --fuzzing-safe --no-threads --ion-eager at js::jit::AssemblerBufferWithConstantPools.
Debug configure options:
LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-optimize --enable-more-deterministic --enable-nspr-build --32 --enable-arm-simulator -R ~/trees/mozilla-central" -r 81f979b17fbd
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/364dae502747
user: Jeff Walden
date: Wed Jul 17 12:14:39 2013 -0700
summary: Bug 894653 - Self-host Error.prototype.toString, and fix an edge-case bug in the current implementation. r=till
Waldo, is bug 894653 a likely regressor?
Flags: needinfo?(jwalden+bmo)
|
Reporter | |
Comment 1•11 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x909ad, 0x986de1c7 libsystem_platform.dylib`_platform_memmove$VARIANT$sse42 + 215, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x986de1c7 libsystem_platform.dylib`_platform_memmove$VARIANT$sse42 + 215
frame #1: 0x006ae7e2 js-dbg-32-dm-nsprBuild-armSim-darwin-81f979b17fbd`js::jit::AssemblerBufferWithConstantPools<1024ul, 4ul, js::jit::Instruction, js::jit::Assembler>::finishPool() [inlined] void mozilla::PodAssign<js::jit::Pool>(aDst=<unavailable>, aSrc=0xbfffd934) + 50 at PodOperations.h:87
frame #2: 0x006ae7b0 js-dbg-32-dm-nsprBuild-armSim-darwin-81f979b17fbd`js::jit::AssemblerBufferWithConstantPools<1024ul, 4ul, js::jit::Instruction, js::jit::Assembler>::finishPool() [inlined] void mozilla::PodCopy<js::jit::Pool>(aDst=0x00000430, aNElem=<unavailable>) at PodOperations.h:107
frame #3: 0x006ae7b0 js-dbg-32-dm-nsprBuild-armSim-darwin-81f979b17fbd`js::jit::AssemblerBufferWithConstantPools<1024ul, 4ul, js::jit::Instruction, js::jit::Assembler>::finishPool(this=<unavailable>) + 1184 at IonAssemblerBufferWithConstantPools.h:689
frame #4: 0x0063de8f js-dbg-32-dm-nsprBuild-armSim-darwin-81f979b17fbd`js::jit::Assembler::finish() [inlined] js::jit::AssemblerBufferWithConstantPools<1024ul, 4ul, js::jit::Instruction, js::jit::Assembler>::flushPool(this=0xbfffd4b4) + 40 at IonAssemblerBufferWithConstantPools.h:703
(lldb)
|
||
Comment 2•10 years ago
|
||
It might have caused things to break, but I suspect only because the self-hosted version perturbs allocations just enough to cause a failure. Calling a JSNative version of the method wouldn't have those allocations. Nothing in my patch seems likely to be intrinsically responsible for the problem here, so I'm punting this back.
Flags: needinfo?(jwalden+bmo)
|
|
Reporter | |
Comment 3•10 years ago
|
||
Forwarding to Marty due to this being related to the ARM simulator.
Flags: needinfo?(mrosenberg)
|
||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
|
|
||
Comment 4•10 years ago
|
||
JSBugMon: Cannot process bug: Error: Failed to isolate test from comment
|
|
Reporter | |
Comment 5•10 years ago
|
||
Bouncing to Jan - Marty is no longer paid staff with Mozilla. Maybe this is related to bug 1130672?
Flags: needinfo?(marty.rosenberg) → needinfo?(jdemooij)
|
|
Reporter | |
Comment 6•10 years ago
|
||
I can no longer reproduce this with m-c rev caf25344f73e.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → WORKSFORME
|
|
Reporter | |
Comment 7•10 years ago
|
||
For archival purposes, there likely was a mistake in the testcase in comment 0, the real one is:
try {
f()
} catch (e) {
+e
}
try {
Function(" \
for (var j = 0; j < 9; ++j) { \
try { \
undefined() \
} catch (e) { \
+e \
} \
} \
oomAfterAllocations(2); \
neuter(x, \"\"); \
")()
} catch (e) {
+e
}
I've rechecked that both testcases WFM per comment 6.
You need to log in
before you can comment on or make changes to this bug.
Description
•