1162071 - Crash [@ js::jit::Simulator::decodeSpecialCondition] with gczeal

Status: RESOLVED DUPLICATE of bug 1135707

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision ba44099cbd07 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-arm-simulator --disable-debug, run with --ion-eager --arm-asm-nop-fill=1 --arm-sim-icache-checks --no-threads):

gczeal(14, 17);
function f(o) {
    var res = 0;
    for (var i=0; i<110; i++)
      res += o.x;
}
function O(x) {}
var o = new O();
f(o);
o.__defineGetter__("x", function() { Array(f) ^ false });
f(o);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::jit::Simulator::decodeSpecialCondition (this=this@entry=0xf7a35000, instr=instr@entry=0xf7c6bd74) at js/src/jit/arm/Simulator-arm.cpp:4151
#0  js::jit::Simulator::decodeSpecialCondition (this=this@entry=0xf7a35000, instr=instr@entry=0xf7c6bd74) at js/src/jit/arm/Simulator-arm.cpp:4151
#1  0x08473614 in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a35000, instr=instr@entry=0xf7c6bd74) at js/src/jit/arm/Simulator-arm.cpp:4168
#2  0x08475eb4 in execute<false> (this=0xf7a35000) at js/src/jit/arm/Simulator-arm.cpp:4246
#3  js::jit::Simulator::callInternal (this=this@entry=0xf7a35000, entry=entry@entry=0xf7fc8db0 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4334
#4  0x084760c6 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8db0 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4417
#5  0x083ba649 in EnterIon (data=..., cx=0xf7a5a0e0) at js/src/jit/Ion.cpp:2390
#6  js::jit::IonCannon (cx=cx@entry=0xf7a5a0e0, state=...) at js/src/jit/Ion.cpp:2472
#7  0x081c6fe4 in js::RunScript (cx=cx@entry=0xf7a5a0e0, state=...) at js/src/vm/Interpreter.cpp:657
#8  0x081c7156 in js::Invoke (cx=cx@entry=0xf7a5a0e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:746
#9  0x081c7bfb in js::Invoke (cx=cx@entry=0xf7a5a0e0, thisv=..., fval=..., argc=argc@entry=1, argv=0xf65ffed0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:783
#10 0x08340fe6 in js::jit::DoCallFallback (cx=0xf7a5a0e0, frame=frame@entry=0xf65fff00, stub_=stub_@entry=0xf7a213b0, argc=argc@entry=1, vp=vp@entry=0xf65ffec0, res=res@entry=...) at js/src/jit/BaselineIC.cpp:10412
#11 0x084732c9 in js::jit::Simulator::softwareInterrupt (this=0xf7a35000, instr=0xf7a02e44) at js/src/jit/arm/Simulator-arm.cpp:2173
#12 0x0847348d in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a35000, instr=instr@entry=0xf7a02e44) at js/src/jit/arm/Simulator-arm.cpp:3272
#13 0x084737cc in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a35000, instr=instr@entry=0xf7a02e44) at js/src/jit/arm/Simulator-arm.cpp:4191
#14 0x08475eb4 in execute<false> (this=0xf7a35000) at js/src/jit/arm/Simulator-arm.cpp:4246
#15 js::jit::Simulator::callInternal (this=this@entry=0xf7a35000, entry=entry@entry=0xf7fc8db0 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4334
#16 0x084760c6 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8db0 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4417
#17 0x083ba649 in EnterIon (data=..., cx=0xf7a5a0e0) at js/src/jit/Ion.cpp:2390
#18 js::jit::IonCannon (cx=cx@entry=0xf7a5a0e0, state=...) at js/src/jit/Ion.cpp:2472
#19 0x081c6fe4 in js::RunScript (cx=cx@entry=0xf7a5a0e0, state=...) at js/src/vm/Interpreter.cpp:657
#20 0x081cf247 in js::ExecuteKernel (cx=<optimized out>, cx@entry=0xf7a5a0e0, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=<optimized out>, type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=<optimized out>, result@entry=0x0) at js/src/vm/Interpreter.cpp:902
#21 0x081cf416 in js::Execute (cx=cx@entry=0xf7a5a0e0, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:942
#22 0x084fa59c in ExecuteScript (cx=cx@entry=0xf7a5a0e0, obj=..., scriptArg=scriptArg@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4159
#23 0x084fa6c1 in JS_ExecuteScript (cx=cx@entry=0xf7a5a0e0, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4181
#24 0x080668e4 in RunFile (compileOnly=false, file=0xf6227720, filename=<optimized out>, cx=0xf7a5a0e0) at js/src/shell/js.cpp:468
#25 Process (cx=cx@entry=0xf7a5a0e0, filename=<optimized out>, forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:598
#26 0x08075361 in ProcessArgs (op=0xffffcbc0, cx=<optimized out>) at js/src/shell/js.cpp:5799
#27 Shell (envp=0xffffcd10, op=0xffffcbc0, cx=<optimized out>) at js/src/shell/js.cpp:6068
#28 main (argc=6, argv=0xffffccf4, envp=0xffffcd10) at js/src/shell/js.cpp:6390
eax	0xfffffe58	-424
ebx	0x93523cc	154477516
ecx	0x0	0
edx	0x1a	26
esi	0xf7a35000	-140292096
edi	0xf7c6bd74	-137970316
ebp	0xf7c6bd74	4156996980
esp	0xffffb910	4294949136
eip	0x8470758 <js::jit::Simulator::decodeSpecialCondition(js::jit::SimInstruction*)+600>
=> 0x8470758 <js::jit::Simulator::decodeSpecialCondition(js::jit::SimInstruction*)+600>:	movl   $0x1037,0x0
   0x8470762 <js::jit::Simulator::decodeSpecialCondition(js::jit::SimInstruction*)+610>:	call   0x808c390 <abort()>


Marking s-s because the test includes gczeal.

Comment 1

[Daniel Veditz [:dveditz]]

Assuming sec-high assuming this is a bug in ARM jitting. If it's a bug specific to the Simulator though it would be less serious since fewer people run that (though still high-value targets like "people with check-in privs").

Sean: can you help get this bug to the right owner?

Comment 2

[Sean Stangl [:sstangl]]

This looks like it's likely the same issue as Bug 1135707.

Comment 3

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d96d552ff899
user:        Jan de Mooij
date:        Wed Feb 11 14:42:01 2015 +0100
summary:     Bug 1129382 - Add Ion ICs for scripted getters/setters. r=efaust,nbp,djvj

This iteration took 238.683 seconds to run.

Comment 4

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision b9424d63fe35).

Comment 5

[Christian Holler (:decoder)]

JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/9571f765357d
user:        Jon Coppeard
date:        Wed May 20 10:30:46 2015 +0100
summary:     Bug 1135707 - Fix interaction between Arm NOP fill and calculation of IonCache rejoin label r=jandem

This iteration took 221.366 seconds to run.