452900 - TM: Crash with gczeal, if(NaN)

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect, P2)

Description

[Jesse Ruderman]

./js -j
js> gczeal(2); for (var j=0;j<6;++j) { if(NaN) { } }

One of the following bad things happens:
* Crash [@ nanojit::Fragmento::newBranch]
* Crash [@ nanojit::LirBuffer::validate], possibly trying to touch 0x04000000.
* Assertion failed: count == _stats.pages (nanojit/LIR.cpp:156)
* Assertion failure: !_fragment->vmprivate && ti, at jstracer.cpp:667

Comment 1

[Jesse Ruderman]

The patch in bug 455464 comment 3 does not fix this bug.

Comment 2

[Brendan Eich [:brendan]]

25th attempt to GC is the bad one.

#0  js_GC (cx=0x1100b00, gckind=GC_LAST_DITCH) at jsgc.cpp:3039
#1  0x00061438 in RefillDoubleFreeList (cx=0x1100b00) at jsgc.cpp:1974
#2  0x0006180c in js_NewDoubleInRootedValue (cx=0x1100b00, d=nan(0xfffffffffffff), vp=0x1805338) at jsgc.cpp:2077
#3  0x000e53bc in NativeToValue (cx=0x1100b00, v=@0x1805338, type=2 '\002', slot=0xbfffcd30) at jstracer.cpp:1131
#4  0x000e5dac in FlushNativeGlobalFrame (cx=0x1100b00, ngslots=2, gslots=0x1100ac0, mp=0xbfffa660 "\002\001", np=0xbfffcaa0) at jstracer.cpp:1197
#5  0x000ec56b in js_ExecuteTree (cx=0x1100b00, treep=0xbfffd008, inlineCallCount=@0xbfffdbe0, innermostNestedGuardp=0xbfffd004) at jstracer.cpp:2470
#6  0x000fe5fc in js_MonitorLoopEdge (cx=0x1100b00, oldpc=0x11026d4 "\b????g\0055", inlineCallCount=@0xbfffdbe0) at jstracer.cpp:2525
#7  0x0013ef45 in js_Interpret (cx=0x1100b00) at jsinterp.cpp:3674
#8  0x000659e6 in js_Execute (cx=0x1100b00, chain=0x4cc000, script=0x1102670, down=0x0, flags=0, result=0xbffff834) at jsinterp.cpp:1550
#9  0x0001b544 in JS_ExecuteScript (cx=0x1100b00, obj=0x4cc000, script=0x1102670, rval=0xbffff834) at jsapi.cpp:4907
#10 0x00003454 in Process (cx=0x1100b00, obj=0x4cc000, filename=0x0, forceTTY=0) at js.cpp:315
#11 0x00008b0c in ProcessArgs (cx=0x1100b00, obj=0x4cc000, argv=0xbffff9d4, argc=1) at js.cpp:568
#12 0x00009c61 in main (argc=1, argv=0xbffff9d4, envp=0xbffff9dc) at js.cpp:3982

This stack follows:

#0  js_FlushJITCache (cx=0x1100b00) at jstracer.cpp:2711
#1  0x0006075e in js_GC (cx=0x1100b00, gckind=GC_LAST_DITCH) at jsgc.cpp:3248
#2  0x00061438 in RefillDoubleFreeList (cx=0x1100b00) at jsgc.cpp:1974
#3  0x0006180c in js_NewDoubleInRootedValue (cx=0x1100b00, d=nan(0xfffffffffffff), vp=0x1805338) at jsgc.cpp:2077
#4  0x000e53bc in NativeToValue (cx=0x1100b00, v=@0x1805338, type=2 '\002', slot=0xbfffcd30) at jstracer.cpp:1131
...

Finishing back to js_MonitorLoopEdge and then trying to finish that call results in this crash:

#0  0x0011623d in nanojit::Fragmento::newBranch (this=0x11003f0, from=0x11029c0, ip=0x4c607c) at nanojit/Fragmento.cpp:665
#1  0x001162bc in nanojit::Fragmento::createBranch (this=0x11003f0, lr=0x4c8f54, ip=0x4c607c) at nanojit/Fragmento.cpp:289
#2  0x000f9aee in js_AttemptToExtendTree (cx=0x1100b00, anchor=0x4c8f54, exitedFrom=0x0) at jstracer.cpp:2159
#3  0x000fe6ce in js_MonitorLoopEdge (cx=0x1100b00, oldpc=0x11026d4 "\b????g\0055", inlineCallCount=@0xbfffdbe0) at jstracer.cpp:2540
#4  0x0013ef45 in js_Interpret (cx=0x1100b00) at jsinterp.cpp:3674
#5  0x000659e6 in js_Execute (cx=0x1100b00, chain=0x4cc000, script=0x1102670, down=0x0, flags=0, result=0xbffff834) at jsinterp.cpp:1550
#6  0x0001b544 in JS_ExecuteScript (cx=0x1100b00, obj=0x4cc000, script=0x1102670, rval=0xbffff834) at jsapi.cpp:4907
#7  0x00003454 in Process (cx=0x1100b00, obj=0x4cc000, filename=0x0, forceTTY=0) at js.cpp:315
#8  0x00008b0c in ProcessArgs (cx=0x1100b00, obj=0x4cc000, argv=0xbffff9d4, argc=1) at js.cpp:568
#9  0x00009c61 in main (argc=1, argv=0xbffff9d4, envp=0xbffff9dc) at js.cpp:3982

Traveling again, gal or danderson should take. Thanks,

/be

Comment 3

[Damon Sicore (:damons)]

blocking1.9.1+, requires beta vector (P2), assigning to danderson.

Comment 4

[David Anderson [:dvander] - inactive, e-mail if emergency]

Can't reproduce this on tracemonkey tip -- can you verify, Jesse?

Comment 5

[Jesse Ruderman]

Yes, WFM.