Closed
Bug 1214059
Opened 10 years ago
Closed 10 years ago
Hit MOZ_CRASH(Invalid PC offset for IC entry.) at js/src/jit/BaselineJIT.cpp:630
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla46
People
(Reporter: decoder, Assigned: h4writer)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file, 1 obsolete file)
|
35.08 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision b235cfd4d8ca (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --fuzzing-safe --thread-count=2):
var g = newGlobal();
g.parent = this;
g.eval("(" + function(i) {
var dbg = new Debugger(parent);
dbg.onExceptionUnwind = function(frame) {
frame.older.onStep = function() {}
};
} + ")()");
function test() {
for (var res = false; !res; res = inIon()) {};
}
function assertOnIonCompilationArgument(obj) {
assertJSON(obj.json, obj.scripts);
}
g.eval(`
var dbg = new Debugger();
var parentw = dbg.addDebuggee(parent);
dbg.onIonCompilation = function (graph) {
parent.assertOnIonCompilationArgument(graph);
};
`);
test();
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x08237275 in js::jit::BaselineScript::icEntryFromPCOffset (this=0xf7ac6d30, pcOffset=30) at js/src/jit/BaselineJIT.cpp:630
#0 0x08237275 in js::jit::BaselineScript::icEntryFromPCOffset (this=0xf7ac6d30, pcOffset=30) at js/src/jit/BaselineJIT.cpp:630
#1 0x08889b46 in fallbackStub (this=0xf7a99140) at js/src/jit/BaselineDebugModeOSR.cpp:141
#2 CloneOldBaselineStub (entryIndex=<optimized out>, entries=..., cx=<optimized out>) at js/src/jit/BaselineDebugModeOSR.cpp:737
#3 js::jit::RecompileOnStackBaselineScriptsForDebugMode (cx=cx@entry=0xf7a78020, obs=..., observing=observing@entry=js::Debugger::Observing) at js/src/jit/BaselineDebugModeOSR.cpp:893
#4 0x085d5847 in js::Debugger::updateExecutionObservabilityOfFrames (cx=cx@entry=0xf7a78020, obs=..., observing=js::Debugger::Observing) at js/src/vm/Debugger.cpp:1974
#5 0x085d5b9a in js::Debugger::ensureExecutionObservabilityOfFrame (cx=0xf7a78020, frame=...) at js/src/vm/Debugger.cpp:2162
#6 0x085dfa48 in js::Debugger::getScriptFrameWithIter (this=this@entry=0xf7a54000, cx=0xf7a78020, frame=..., maybeIter=maybeIter@entry=0xffff9944, vp=...) at js/src/vm/Debugger.cpp:482
#7 0x085e006a in getScriptFrame (vp=..., iter=..., cx=<optimized out>, this=0xf7a54000) at js/src/vm/Debugger.h:898
#8 DebuggerFrame_getOlder (cx=0xf7a78020, argc=0, vp=0xffff9d90) at js/src/vm/Debugger.cpp:6248
#9 0x0865ab3a in js::CallJSNative (cx=0xf7a78020, native=0x85dfdb0 <DebuggerFrame_getOlder(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#10 0x0865296f in js::Invoke (cx=cx@entry=0xf7a78020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:773
#11 0x086536ee in js::Invoke (cx=cx@entry=0xf7a78020, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:828
#12 0x086537cc in js::InvokeGetter (cx=cx@entry=0xf7a78020, thisv=..., fval=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:937
#13 0x08653b22 in CallGetter (vp=..., shape=..., receiver=..., obj=..., cx=0xf7a78020) at js/src/vm/NativeObject.cpp:1655
#14 GetExistingProperty<(js::AllowGC)1> (cx=0xf7a78020, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:1707
#15 0x08654211 in NativeGetPropertyInline<(js::AllowGC)1> (cx=0xf7a78020, obj=..., receiver=..., id=..., nameLookup=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:1922
#16 0x0865487c in js::NativeGetProperty (cx=<optimized out>, cx@entry=0xf7a78020, obj=..., obj@entry=..., receiver=..., receiver@entry=..., id=..., id@entry=..., vp=vp@entry=...) at js/src/vm/NativeObject.cpp:1956
#17 0x085ab5da in js::GetProperty (cx=cx@entry=0xf7a78020, obj=obj@entry=..., receiver=receiver@entry=..., id=id@entry=..., vp=vp@entry=...) at js/src/vm/NativeObject.h:1433
#18 0x0867038e in js::GetProperty (cx=0xf7a78020, obj=..., receiver=..., name=0xf573b540, vp=...) at js/src/jsobj.h:834
#19 0x086549f2 in js::GetProperty (cx=0xf7a78020, v=v@entry=..., name=name@entry=..., vp=vp@entry=...) at js/src/vm/Interpreter.cpp:4291
#20 0x086433d6 in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=0xffffa300) at js/src/vm/Interpreter.cpp:262
#21 Interpret (cx=cx@entry=0xf7a78020, state=...) at js/src/vm/Interpreter.cpp:2822
#22 0x08651fc1 in js::RunScript (cx=cx@entry=0xf7a78020, state=...) at js/src/vm/Interpreter.cpp:714
#23 0x08652a46 in js::Invoke (cx=cx@entry=0xf7a78020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:791
#24 0x086536ee in js::Invoke (cx=cx@entry=0xf7a78020, thisv=..., fval=..., argc=argc@entry=2, argv=argv@entry=0xffffa710, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:828
#25 0x085eee03 in js::Debugger::fireExceptionUnwind (this=this@entry=0xf7a54000, cx=cx@entry=0xf7a78020, vp=vp@entry=...) at js/src/vm/Debugger.cpp:1223
#26 0x085ef228 in operator() (dbg=0xf7a54000, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:739
#27 dispatchHook<js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::__lambda5, js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::__lambda6> (fireHook=..., cx=0xf7a78020, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1398
#28 js::Debugger::slowPathOnExceptionUnwind (cx=cx@entry=0xf7a78020, frame=frame@entry=...) at js/src/vm/Debugger.cpp:740
#29 0x0864296c in onExceptionUnwind (frame=..., cx=0xf7a78020) at js/src/vm/Debugger-inl.h:58
#30 HandleError (regs=..., cx=0xf7a78020) at js/src/vm/Interpreter.cpp:1481
#31 Interpret (cx=cx@entry=0xf7a78020, state=...) at js/src/vm/Interpreter.cpp:4184
#32 0x08651fc1 in js::RunScript (cx=cx@entry=0xf7a78020, state=...) at js/src/vm/Interpreter.cpp:714
#33 0x08652a46 in js::Invoke (cx=cx@entry=0xf7a78020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:791
#34 0x086536ee in js::Invoke (cx=cx@entry=0xf7a78020, thisv=..., fval=..., argc=1, argv=0xf56bb130, rval=...) at js/src/vm/Interpreter.cpp:828
#35 0x0859de22 in js::DirectProxyHandler::call (this=this@entry=0x97fd0f8 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0xf7a78020, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#36 0x085a5165 in js::CrossCompartmentWrapper::call (this=0x97fd0f8 <js::CrossCompartmentWrapper::singleton>, cx=0xf7a78020, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#37 0x085a1f1a in js::Proxy::call (cx=cx@entry=0xf7a78020, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:412
#38 0x085a1fba in js::proxy_Call (cx=0xf7a78020, argc=1, vp=0xf56bb120) at js/src/proxy/Proxy.cpp:710
#39 0x0865ab3a in js::CallJSNative (cx=0xf7a78020, native=0x85a1f40 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#40 0x0865296f in js::Invoke (cx=0xf7a78020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:773
#41 0x0864b177 in Interpret (cx=cx@entry=0xf7a78020, state=...) at js/src/vm/Interpreter.cpp:3098
#42 0x08651fc1 in js::RunScript (cx=cx@entry=0xf7a78020, state=...) at js/src/vm/Interpreter.cpp:714
#43 0x08652a46 in js::Invoke (cx=cx@entry=0xf7a78020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:791
#44 0x086536ee in js::Invoke (cx=0xf7a78020, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0xffffba30, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:828
#45 0x085e859f in js::Debugger::fireOnIonCompilationHook (this=this@entry=0xf7a54800, cx=cx@entry=0xf7a78020, scripts=scripts@entry=..., graph=...) at js/src/vm/Debugger.cpp:1361
#46 0x085e8a57 in operator() (dbg=0xf7a54800, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:1691
#47 dispatchHook<js::Debugger::slowPathOnIonCompilation(JSContext*, JS::Handle<js::TraceableVector<JSScript*> >, js::LSprinter&)::__lambda9, js::Debugger::slowPathOnIonCompilation(JSContext*, JS::Handle<js::TraceableVector<JSScript*> >, js::LSprinter&)::__lambda10> (fireHook=..., cx=0xf7a78020, cx@entry=0xffffbb70, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1398
#48 js::Debugger::slowPathOnIonCompilation (cx=cx@entry=0xf7a78020, scripts=scripts@entry=..., graph=...) at js/src/vm/Debugger.cpp:1693
#49 0x082de865 in onIonCompilation (graph=..., scripts=..., cx=0xf7a78020) at js/src/vm/Debugger-inl.h:81
#50 js::jit::LazyLink (cx=cx@entry=0xf7a78020, calleeScript=calleeScript@entry=...) at js/src/jit/Ion.cpp:617
#51 0x082e030b in js::jit::CanEnterAtBranch (cx=cx@entry=0xf7a78020, script=script@entry=..., osrFrame=osrFrame@entry=0xf59fff00, pc=pc@entry=0xf7a16f67 "\343\201V") at js/src/jit/Ion.cpp:2474
#52 0x0885b065 in EnsureCanEnterIon (stub=0xf56651c8, jitcodePtr=<synthetic pointer>, pc=0xf7a16f67 "\343\201V", script=..., frame=0xf59fff00, cx=0xf7a78020) at js/src/jit/BaselineIC.cpp:104
#53 js::jit::DoWarmUpCounterFallback (cx=cx@entry=0xf7a78020, frame=frame@entry=0xf59fff00, stub=stub@entry=0xf56651c8, infoPtr=infoPtr@entry=0xf59ffee4) at js/src/jit/BaselineIC.cpp:268
#54 0x08439f7d in js::jit::Simulator::softwareInterrupt (this=0xf7a77000, instr=0xf7a02894) at js/src/jit/arm/Simulator-arm.cpp:2173
[...]
#72 main (argc=4, argv=0xffffce44, envp=0xffffce58) at js/src/shell/js.cpp:6677
eax 0x0 0
ebx 0x97cba9c 159169180
ecx 0xf7e3b88c -136071028
edx 0x0 0
esi 0x1a 26
edi 0xf7ac6da8 -139694680
ebp 0xffff91f8 4294939128
esp 0xffff91d0 4294939088
eip 0x8237275 <js::jit::BaselineScript::icEntryFromPCOffset(unsigned int)+213>
=> 0x8237275 <js::jit::BaselineScript::icEntryFromPCOffset(unsigned int)+213>: movl $0x276,0x0
0x823727f <js::jit::BaselineScript::icEntryFromPCOffset(unsigned int)+223>: call 0x80fd810 <abort()>
|
||
Comment 1•10 years ago
|
||
TC fails also on Linux x86 native both 32-bit and 64-bit. Probably a cross-architecture problem.
Component: JavaScript Engine → JavaScript Engine: JIT
Hardware: ARM → All
|
||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 3•10 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/3bbd0d929128
user: Hannes Verschore
date: Fri Aug 14 17:57:57 2015 +0200
summary: Bug 1178834: IonMonkey - Always lazy link code, r=jandem
This iteration took 248.648 seconds to run.
|
|
||
Comment 4•10 years ago
|
||
Hannes, is bug 1178834 a likely regressor?
Blocks: 1178834
Flags: needinfo?(hv1989)
|
Assignee | |
Comment 5•10 years ago
|
||
looking
|
|
Assignee | |
Comment 7•10 years ago
|
||
Patch like described. Split warmup counter into using stub for OSR in Ion and vm call for prologue. Adding extra code to handle that specific vm call during replacing Baseline script on stack during switching debug mode
|
|
Assignee | |
Comment 8•10 years ago
|
||
(In reply to Hannes Verschore [:h4writer] from comment #7)
> Created attachment 8705044 [details] [diff] [review]
> Patch
>
> Patch like described. Split warmup counter into using stub for OSR in Ion
> and vm call for prologue. Adding extra code to handle that specific vm call
> during replacing Baseline script on stack during switching debug mode
s/described/discussed
|
||
Comment 9•10 years ago
|
||
Comment on attachment 8705044 [details] [diff] [review]
Patch
Review of attachment 8705044 [details] [diff] [review]:
-----------------------------------------------------------------
Looks great, but below some ideas to clean up the code a bit more.
::: js/src/jit/BaselineCompiler.cpp
@@ +753,5 @@
>
> + // Try to compile and/or finish a compilation.
> + if (JSOp(*pc) == JSOP_LOOPENTRY) {
> + // During the loop entry we can try to OSR into ion,
> + // which the IC has logic for.
Nit "which the IC has logic for" sounds wrong. Maybe "the IC has logic for this." or something?
@@ +759,5 @@
> + if (!emitOpIC(stubCompiler.getStub(&stubSpace_)))
> + return false;
> + } else {
> + // During the prologue we don't have a dedicated OP,
> + // which can hoist the warmup IC. As a result use a special
Nit: not sure what 'hoist' means in this context.
::: js/src/jit/BaselineIC.cpp
@@ +90,5 @@
> // WarmUpCounter_Fallback
> //
>
> static bool
> +EnsureCanEnterIon(JSContext* cx, BaselineFrame* frame, HandleScript script, jsbytecode* pc)
Nit: we can get the script from the frame.
Because these functions no longer have a stub argument, I think it'd be nice to merge this function with DoWarmUpCounterFallback, maybe rename this function (IonCompileScriptForBaseline?), and move it to BaselineJIT.cpp, Ion.cpp or VMFunctions.cpp
Attachment #8705044 -
Flags: review?(jdemooij)
|
|
||
Comment 10•10 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #9)
> rename this function (IonCompileScriptForBaseline?), and move it to BaselineJIT.cpp,
> Ion.cpp or VMFunctions.cpp
If we move it to Ion.cpp, we no longer have to export CompileFunctionForBaseline and CanEnterAtBranch and we can make them static.
|
|
Assignee | |
Comment 11•10 years ago
|
||
Addresses requested issues
Attachment #8705044 -
Attachment is obsolete: true
Attachment #8709107 -
Flags: review?(jdemooij)
|
|
||
Comment 12•10 years ago
|
||
Comment on attachment 8709107 [details] [diff] [review]
Patch
Review of attachment 8709107 [details] [diff] [review]:
-----------------------------------------------------------------
Nice refactoring, thanks!
::: js/src/jit/BaselineCompiler.cpp
@@ +743,5 @@
> return true;
> }
>
> + if (JSOp(*pc) != JSOP_LOOPENTRY)
> + frame.syncStack(0);
Nit: I think this can be |frame.assertSyncedStack();| Maybe move it before |Register countReg = R0.scratchReg();|, as that code also relies on R0 being unused.
Attachment #8709107 -
Flags: review?(jdemooij) → review+
|
||
Comment 13•10 years ago
|
||
|
||
Comment 14•10 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox46:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in
before you can comment on or make changes to this bug.
Description
•