Closed
Bug 455757
Opened 16 years ago
Closed 16 years ago
TM: Loading www.netvibes.com crashes firefox with tracemonkey (jit) enabled
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: domzy.com, Assigned: dvander)
References
()
Details
Attachments
(2 files)
|
676 bytes,
application/x-javascript
|
Details | |
|
2.10 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b1pre) Gecko/20080917020400 Minefield/3.1b1pre Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b1pre) Gecko/20080917020400 Minefield/3.1b1pre Easy to replicate (on my machinie). Loading www.netvibes.com crashes everytime when Tracemonkey is enabled, and works when disabled. Confirmed not to bebecause of any specific applet on my personalised netvibes.com page and crashes on the default www.netvibes.com page. Reproducible: Always Steps to Reproduce: 1. Enable tracemonkey (jit) 2. Go to www.netvibes.com 3. Watch it crash.. Actual Results: Firefox crashes (it loads the titlebar information..) and the "send an error" window pops up Expected Results: Load the website A few nightly's back (maybe a week or slightly less) and it was working fine.
|
Assignee | |
Updated•16 years ago
|
Assignee: nobody → general
Status: UNCONFIRMED → NEW
Component: General → JavaScript Engine
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → general
Summary: Loading www.netvibes.com crashes firefox with tracemonkey (jit) enabled → TM: Loading www.netvibes.com crashes firefox with tracemonkey (jit) enabled
|
|
Assignee | |
Comment 1•16 years ago
|
||
What's breaking here is that we're not importing args past the formal argument count. Originally we imported everything but it was changed here: http://hg.mozilla.org/tracemonkey/rev/074d733dbdb8 With the current TM tip, the argc > nargs test fails. With reverting that changeset, the first test fails instead. We compile a trace expecting args=2, and the second call fills the second argument with 0. The third call segfaults as js_NativeStackSlots(cx, 0) == 7 and the entry type map length is 6. Should we be guarding in js_ExecuteTree that the incoming argc <= args for the trace we compiled?
|
|
Assignee | |
Comment 3•16 years ago
|
||
So, importing argc beyond nargs seems difficult, if not impossible because we could try to execute a tree with more argc beyond nargs but less argc than originally recorded. Attached is a preliminary patch that fixes two of the crashes encountered so far.
Assignee: general → danderson
|
||
Comment 4•16 years ago
|
||
Idea: guard early in record_JSOP_CALL on argc matching, with BRANCH_EXIT exit type. This could help 3d-raytrace.js too! /be
|
||
Comment 5•16 years ago
|
||
But what about the initial frame (calldepth == 0)? That we would have to specialize using several trees. Or we have to make the stack unfolding explicit in the tree so that we can BRANCH_EXIT on that somehow.
|
|
Assignee | |
Updated•16 years ago
|
Attachment #339162 -
Flags: review?(gal)
|
||
Comment 6•16 years ago
|
||
This is the crash we're currently hitting in mochitest as well.
|
|
||
Comment 7•16 years ago
|
||
Comment on attachment 339162 [details] [diff] [review] aborts trace if accessing arguments beyond nargs, fixes a related crash >+ unsigned int nargs = JS_MIN((JS_MIN(argc, fp->fun->nargs)), 2); >+ for (uintN i = 0; i < nargs; i++) { Drive-by nit: avoid 'unsigned int', use unsigned or uintN but not both in adjacent or new code. This is the apply(_, arguments) special case, and it handles argc > nargs. >@@ -5880,7 +5881,7 @@ TraceRecorder::record_JSOP_ARGSUB() > JSStackFrame* fp = cx->fp; > if (!(fp->fun->flags & JSFUN_HEAVYWEIGHT)) { > uintN slot = GET_ARGNO(fp->regs->pc); >- if (slot < fp->argc && !fp->argsobj) { >+ if (slot < fp->fun->nargs && !fp->argsobj) { This case doesn't handle argc > nargs (slot >= nargs), but the interpreter and the language standard it's based on do: js> function f(x,y){return arguments[2]} js> f(1,2,3) 3 Ok, it's better to abort than crash! I'm with you on that. I just wonder why we can't import all actuals if there are more than formals. Sorry if you explained it on IRC and I missed it. Thanks, /be
|
|
Assignee | |
Comment 8•16 years ago
|
||
I'll switch to uintN, having 'unsigned' without 'int' bothers me for some reason :] The problem I ran into was, say nargs=2, argc=6. If a trace gets compiled for that expecting argc=6, and we later try to execute with argc=3, we can't seem to import the missing arguments since there's no space on the stack for them.
|
|
||
Comment 9•16 years ago
|
||
Comment on attachment 339162 [details] [diff] [review] aborts trace if accessing arguments beyond nargs, fixes a related crash Lets get this in. We can be more creative with argc > nargs if the need arises.
Attachment #339162 -
Flags: review?(gal) → review+
|
|
Assignee | |
Comment 10•16 years ago
|
||
Pushed as changeset http://hg.mozilla.org/tracemonkey/rev/b38dc7abba98
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Comment 12•16 years ago
|
||
test also included in js1_8_1/trace/trace-test.js
Flags: in-testsuite+
Flags: in-litmus-
You need to log in
before you can comment on or make changes to this bug.
Description
•