Crash [@ js::jit::AssemblerX86Shared::jmpSrc] involving --unboxed-objects

RESOLVED FIXED in Firefox 40

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: gkw, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
mozilla40
x86_64
Mac OS X
crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox40 fixed)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
for (var i = 0; i < 9999; i++) {
    (function() {
        ({
            e: this,
            e: 0
        })
    })()
}

crashes js debug shell on m-c changeset 421548077f12 with --fuzzing-safe --no-threads --baseline-eager --unboxed-objects at js::jit::AssemblerX86Shared::jmpSrc.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 421548077f12

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/6470d649e1bb
user:        Brian Hackett
date:        Sun Mar 01 16:31:41 2015 -0600
summary:     Bug 1135423 - Use unboxed objects for object literals where possible, clean up object literal creation and property initialization code, r=jandem.

Brian, is bug 1135423 a likely regressor?
Flags: needinfo?(bhackett1024)
(Reporter)

Comment 1

3 years ago
Created attachment 8588380 [details]
stack

(lldb) bt 5
* thread #1: tid = 0x5dba4, 0x00000001007a46d5 js-dbg-64-dm-nsprBuild-darwin-421548077f12`js::jit::AssemblerX86Shared::jmpSrc(js::jit::Label*) [inlined] js::jit::LabelBase::bound() const at Label.h:34, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001007a46d5 js-dbg-64-dm-nsprBuild-darwin-421548077f12`js::jit::AssemblerX86Shared::jmpSrc(js::jit::Label*) [inlined] js::jit::LabelBase::bound() const at Label.h:34
    frame #1: 0x00000001007a46d5 js-dbg-64-dm-nsprBuild-darwin-421548077f12`js::jit::AssemblerX86Shared::jmpSrc(this=0x00007fff5fbfdab8, label=0x0000000000000000) + 21 at Assembler-x86-shared.h:810
    frame #2: 0x000000010054c05e js-dbg-64-dm-nsprBuild-darwin-421548077f12`js::jit::SetPropertyIC::attachSetUnboxed(JSContext*, JS::Handle<JSScript*>, js::jit::IonScript*, JS::Handle<JSObject*>, JS::Handle<jsid>, unsigned int, JSValueType, bool) [inlined] GenerateSetUnboxed(cx=0x00000001028a5180, masm=0x00007fff5fbfdad8, obj=0x0000000102926ac0, unboxedOffset=<unavailable>, unboxedType=<unavailable>, value=ConstantOrRegister at 0x00007fff5fbfe460) + 374 at IonCaches.cpp:3085
    frame #3: 0x000000010054bee8 js-dbg-64-dm-nsprBuild-darwin-421548077f12`js::jit::SetPropertyIC::attachSetUnboxed(this=0x00000001028cf4b8, cx=0x00000001028a5180, ion=0x00000001028cf400, unboxedOffset=<unavailable>, unboxedType=JSVAL_TYPE_INT32, checkTypeset=<unavailable>, outerScript=<unavailable>, obj=<unavailable>, id=<unavailable>) + 232 at IonCaches.cpp:3104
    frame #4: 0x000000010054cfd7 js-dbg-64-dm-nsprBuild-darwin-421548077f12`js::jit::SetPropertyIC::update(cx=0x00000001028a5180, cacheIndex=<unavailable>, outerScript=<unavailable>, obj=<unavailable>, value=<unavailable>) + 3335 at IonCaches.cpp:3253
(lldb)
(Assignee)

Comment 2

3 years ago
Created attachment 8588792 [details] [diff] [review]
patch

The testing which Ion ICs use for whether the value being written can definitely be stored in an unboxed object is no longer correct.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8588792 - Flags: review?(jdemooij)
(Reporter)

Updated

3 years ago
Whiteboard: [jsbugmon:update]

Updated

3 years ago
Attachment #8588792 - Flags: review?(jdemooij) → review+
(Assignee)

Comment 3

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/20f88bc673f5
https://hg.mozilla.org/mozilla-central/rev/20f88bc673f5
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox40: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.