459539 - TM: crash growing innermost trees from outer trees

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: test case that bombs

Multi-trees is currently in a chaotic state because I was hitting this crash in crypto-aes.  It took long enough but I've managed to reduce it to a test case that crashes on tip.  It never appeared before because we didn't trace as much.

The test case just exploits a particular control flow that nested trees gets wrong.

1. Innermost loop gets compiled.  Then it takes a branch, and we compile that branch _as a thin loop_.
2. Inner loop (middle) gets compiled expecting the innermost loop to not branch.
3. Outer loop gets compiled.
4. Outer loop gets run such that the innermost loop takes its thin branch.

When the guard chain bubbles back up to js_Execute, the immediate GuardRecord has a calldepth=1.  We skip past this and never process its call depth or exit, which leads to the good ol' assertion:

"Assertion failure: script->main <= target && target < script->code + script->length, at jsopcode.cpp:5197"

If the innermost branch is not thin, this assertion is not hit.

Comment 1

[Andreas Gal :gal]

Also hits before the thin loop patch, so thin loops are likely not directly contributing.

Comment 2

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: proposed fix from andreas

Comment 3

[Andreas Gal :gal]

Attachment: patch with testcase

Comment 4

[Andreas Gal :gal]

http://hg.mozilla.org/tracemonkey/rev/46edde157751

Comment 5

[Bob Clary [:bc] (inactive)]

/cvsroot/mozilla/js/tests/js1_8_1/trace/trace-test.js,v  <--  trace-test.js
new revision: 1.5; previous revision: 1.4

http://hg.mozilla.org/mozilla-central/rev/f0e9fd501e63