Closed
Bug 1236522
Opened 9 years ago
Closed 9 years ago
Hit MOZ_CRASH(Unknown MIRType.) at js/src/jit/IonTypes.h:547 or Crash [@ js::jit::StringFromMIRType] with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla46
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | fixed |
People
(Reporter: decoder, Assigned: jolesen)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-central revision d7a0ad85d9fb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-offthread-compile=off --ion-eager):
var g = newGlobal();
g.parent = this;
g.eval(`
var dbg = new Debugger();
var parentw = dbg.addDebuggee(parent);
dbg.onIonCompilation = function (graph) {
};
`);
var b4 = SIMD.Bool32x4(true, false, true, false);
for (var i = 0; i < 150; i++) {}
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000006db228 in js::jit::StringFromMIRType (type=<optimized out>) at js/src/jit/IonTypes.h:547
#0 0x00000000006db228 in js::jit::StringFromMIRType (type=<optimized out>) at js/src/jit/IonTypes.h:547
#1 0x00000000006de48c in js::jit::JSONSpewer::spewMDef (this=this@entry=0x7fffffffc8e0, def=def@entry=0x7ffff69cddc8) at js/src/jit/JSONSpewer.cpp:241
#2 0x00000000006de88b in js::jit::JSONSpewer::spewMIR (this=this@entry=0x7fffffffc8e0, mir=mir@entry=0x7ffff69c5040) at js/src/jit/JSONSpewer.cpp:288
#3 0x00000000006df09d in js::jit::JSONSpewer::spewDebuggerGraph (this=this@entry=0x7fffffffc8e0, graph=graph@entry=0x7ffff69c5040) at js/src/jit/JSONSpewer.cpp:410
#4 0x00000000006c21e0 in PrepareForDebuggerOnIonCompilationHook (info=0x7fffffffcc00, scripts=..., graph=..., cx=0x7ffff69c5040) at js/src/jit/Ion.cpp:499
#5 LinkCodeGen (cx=cx@entry=0x7ffff6907800, builder=builder@entry=0x7ffff69c5270, codegen=codegen@entry=0x7ffff69d5000, scripts=scripts@entry=..., info=info@entry=0x7fffffffcc00) at js/src/jit/Ion.cpp:591
#6 0x00000000006c3acf in js::jit::IonCompile (cx=cx@entry=0x7ffff6907800, script=script@entry=0x7ffff7e68160, baselineFrame=baselineFrame@entry=0x7fffffffce78, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Normal) at js/src/jit/Ion.cpp:2290
#7 0x00000000006c421c in js::jit::Compile (cx=cx@entry=0x7ffff6907800, script=..., script@entry=..., osrFrame=0x7fffffffce78, osrPc=osrPc@entry=0x7ffff6969b2d "ず", constructing=<optimized out>, forceRecompile=<optimized out>) at js/src/jit/Ion.cpp:2451
#8 0x00000000006c44b1 in js::jit::CanEnterAtBranch (cx=cx@entry=0x7ffff6907800, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffce78, pc=pc@entry=0x7ffff6969b2d "ず") at js/src/jit/Ion.cpp:2538
#9 0x00000000005ea51d in EnsureCanEnterIon (stub=<optimized out>, jitcodePtr=<synthetic pointer>, pc=0x7ffff6969b2d "ず", script=..., frame=0x7fffffffce78, cx=0x7ffff6907800) at js/src/jit/BaselineIC.cpp:66
#10 js::jit::DoWarmUpCounterFallback (cx=0x7ffff6907800, frame=0x7fffffffce78, stub=<optimized out>, infoPtr=0x7fffffffce50) at js/src/jit/BaselineIC.cpp:230
#11 0x00007ffff7ff2519 in ?? ()
[...]
#22 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x0 0
rcx 0x7ffff6ca53cd 140737333842893
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffc7d0 140737488340944
rsp 0x7fffffffc7d0 140737488340944
r8 0x7ffff7fe0780 140737354008448
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffffc590 140737488340368
r11 0x7ffff6c27960 140737333328224
r12 0xe71eaf 15146671
r13 0x7ffff69cddc8 140737330863560
r14 0x7fffffffc8e0 140737488341216
r15 0x7ffff69c9150 140737330843984
rip 0x6db228 <js::jit::StringFromMIRType(js::jit::MIRType)+472>
=> 0x6db228 <js::jit::StringFromMIRType(js::jit::MIRType)+472>: movl $0x223,0x0
0x6db233 <js::jit::StringFromMIRType(js::jit::MIRType)+483>: callq 0x4a4a90 <abort()>
|
Assignee | |
Comment 2•9 years ago
|
||
Yes it is. On it.
Assignee: nobody → jolesen
Flags: needinfo?(jolesen)
|
|
Assignee | |
Comment 3•9 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/29467/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/29467/
|
|
Assignee | |
Comment 4•9 years ago
|
||
Add a case for MIRType_Bool32x4 to the switch and remove the default case so we
get compiler warnings in the future when adding more MIR types.
Review commit: https://reviewboard.mozilla.org/r/29469/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/29469/
Attachment #8703813 -
Flags: review?(nicolas.b.pierron)
|
||
Comment 5•9 years ago
|
||
https://reviewboard.mozilla.org/r/29467/#review26327
::: js/src/.clang-format:4
(Diff revision 1)
> +IndentWidth: 4
I think this is a good idea, but we should do that as part of a dedicated bug, and make sure that we do not inherit all the badness from Mozilla style.
The indentation is one of the major difference, and at the moment, "IndentCaseLabels" does not ssupport half indented case statements, as we have in SpiderMonkey.
http://clang.llvm.org/docs/ClangFormatStyleOptions.html
|
|
||
Updated•9 years ago
|
Attachment #8703813 -
Flags: review?(nicolas.b.pierron) → review+
|
|
||
Comment 6•9 years ago
|
||
Comment on attachment 8703813 [details]
MozReview Request: Bug 1236522 - Handle MIRType_Bool32x4 in StringFromMIRType. r?nbp
https://reviewboard.mozilla.org/r/29469/#review26329
| Comment hidden (obsolete) |
|
|
||
Comment 8•9 years ago
|
||
Comment on attachment 8703812 [details]
MozReview Request: JS clang-format
(I have no idea how to set these flags in review board …)
Attachment #8703812 -
Flags: review-
Attachment #8703812 -
Flags: feedback+
|
|
Assignee | |
Comment 9•9 years ago
|
||
(In reply to Nicolas B. Pierron [:nbp] from comment #5)
> https://reviewboard.mozilla.org/r/29467/#review26327
>
> ::: js/src/.clang-format:4
> (Diff revision 1)
> > +IndentWidth: 4
>
> I think this is a good idea, but we should do that as part of a dedicated
> bug, and make sure that we do not inherit all the badness from Mozilla style.
Yes, sorry about that. My script to push a branch to reviewboard failed to filter out this patch.
> The indentation is one of the major difference, and at the moment,
> "IndentCaseLabels" does not ssupport half indented case statements, as we
> have in SpiderMonkey.
>
> http://clang.llvm.org/docs/ClangFormatStyleOptions.html
Yet they have an AccessModifierOffset which does the same thing for `public:` etc. We should fix that ;-)
|
||
Comment 10•9 years ago
|
||
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 11•9 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/aff94d347ecd
user: Sajjad Taheri
date: Tue Dec 22 14:17:13 2015 -0800
summary: Bug 1160971 - Part 3: SIMD boolean vector support for JIT. r=bbouvier
This iteration took 256.902 seconds to run.
|
||
Comment 12•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in
before you can comment on or make changes to this bug.
Description
•