Closed Bug 465919 Opened 17 years ago Closed 17 years ago

TM: valgrind errors in js1_8_1/trace/trace-test.js

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: bc, Unassigned)

Details

(Keywords: valgrind)

earlier today js1_8_1/trace/trace-test.js (with a test run on mc at 2008-11-19 12:40:11 UTC) showed valgrind errors. ==6145== Invalid read of size 1 ==6145== at 0x80763B3: js_Interpret (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x8088795: js_Execute (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804E544: JS_ExecuteScript (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804BFC4: Process(JSContext*, JSObject*, char*, int) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804C71C: main (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== Address 0x40EAC1D is 5 bytes inside a block of size 64 free'd ==6145== at 0x4004FDA: free (vg_replace_malloc.c:233) ==6145== by 0x80D3CCF: nanojit::Fragment::onDestroy() (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x80E3EC2: nanojit::Fragmento::clearFragment(nanojit::Fragment*) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x80E3F01: nanojit::Fragmento::clearFrags() (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x80D6840: js_FlushJITCache(JSContext*) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x80DE27A: js_MonitorLoopEdge(JSContext*, unsigned&) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x8086725: js_Interpret (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x8088795: js_Execute (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804E544: JS_ExecuteScript (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804BFC4: Process(JSContext*, JSObject*, char*, int) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804C71C: main (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== ==6145== Invalid read of size 1 ==6145== at 0x8081191: js_Interpret (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x8088795: js_Execute (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804E544: JS_ExecuteScript (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804BFC4: Process(JSContext*, JSObject*, char*, int) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804C71C: main (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== Address 0x40EAC1E is 6 bytes inside a block of size 64 free'd ==6145== at 0x4004FDA: free (vg_replace_malloc.c:233) ==6145== by 0x80D3CCF: nanojit::Fragment::onDestroy() (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x80E3EC2: nanojit::Fragmento::clearFragment(nanojit::Fragment*) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x80E3F01: nanojit::Fragmento::clearFrags() (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x80D6840: js_FlushJITCache(JSContext*) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x80DE27A: js_MonitorLoopEdge(JSContext*, unsigned&) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x8086725: js_Interpret (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x8088795: js_Execute (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804E544: JS_ExecuteScript (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804BFC4: Process(JSContext*, JSObject*, char*, int) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804C71C: main (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== ==6145== Invalid read of size 1 ==6145== at 0x8081195: js_Interpret (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x8088795: js_Execute (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804E544: JS_ExecuteScript (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804BFC4: Process(JSContext*, JSObject*, char*, int) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804C71C: main (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== Address 0x40EAC1F is 7 bytes inside a block of size 64 free'd ==6145== at 0x4004FDA: free (vg_replace_malloc.c:233) ==6145== by 0x80D3CCF: nanojit::Fragment::onDestroy() (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x80E3EC2: nanojit::Fragmento::clearFragment(nanojit::Fragment*) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x80E3F01: nanojit::Fragmento::clearFrags() (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x80D6840: js_FlushJITCache(JSContext*) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x80DE27A: js_MonitorLoopEdge(JSContext*, unsigned&) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x8086725: js_Interpret (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x8088795: js_Execute (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804E544: JS_ExecuteScript (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804BFC4: Process(JSContext*, JSObject*, char*, int) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804C71C: main (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== ==6145== Use of uninitialised value of size 4 ==6145== at 0x807D335: js_Interpret (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x8088795: js_Execute (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804E544: JS_ExecuteScript (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804BFC4: Process(JSContext*, JSObject*, char*, int) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804C71C: main (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== ==6145== Use of uninitialised value of size 4 ==6145== at 0x8077908: js_Interpret (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x8088795: js_Execute (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804E544: JS_ExecuteScript (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804BFC4: Process(JSContext*, JSObject*, char*, int) (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== by 0x804C71C: main (in /usr3/work/mozilla/builds/1.9.1/mozilla/js/src/Linux_All_OPT.OBJ/js) ==6145== ==6145== More than 10000000 total errors detected. I'm not reporting any more. ==6145== Final error counts will be inaccurate. Go fix your program! trying to reproduce it with a different machine and a build from 2008-11-20 10:11:58 UTC gives an assertion and illegal instruction Assertion failure: script->main <= target && target < script->code + script->length, at ../jsopcode.cpp:5197 vex x86->IR: unhandled instruction bytes: 0xCC 0xE8 0x81 0xCC ==19882== valgrind: Unrecognised instruction at address 0x814C661. ==19882== Your program just tried to execute an instruction that Valgrind ==19882== did not recognise. There are two possible reasons for this. ==19882== 1. Your program has a bug and erroneously jumped to a non-code ==19882== location. If you are running Memcheck and you just saw a ==19882== warning about a bad jump, it's probably your program's fault. ==19882== 2. The instruction is legitimate but Valgrind doesn't handle it, ==19882== i.e. it's Valgrind's fault. If you think this is the case or ==19882== you are not sure, please let us know and we'll try to fix it. ==19882== Either way, Valgrind will now raise a SIGILL signal which will ==19882== probably kill your program. ==19882== ==19882== Process terminating with default action of signal 4 (SIGILL) ==19882== Illegal opcode at address 0x814C661 ==19882== at 0x814C661: JS_Assert (jsutil.cpp:61) ==19882== by 0x80FFAA7: ReconstructPCStack(JSContext*, JSScript*, unsigned char*, unsigned char**) (jsopcode.cpp:5197) ==19882== by 0x8100060: js_ReconstructStackDepth (jsopcode.cpp:5173) ==19882== by 0x81707D8: js_ExecuteTree(JSContext*, nanojit::Fragment*, unsigned&, VMSideExit**) (jstracer.cpp:3593) ==19882== by 0x8187D2D: js_MonitorLoopEdge(JSContext*, unsigned&) (jstracer.cpp:3714) ==19882== by 0x80AEFC3: js_Interpret (jsinterp.cpp:3708) ==19882== by 0x80E4296: js_Execute (jsinterp.cpp:1559) ==19882== by 0x805423F: JS_ExecuteScript (jsapi.cpp:5078) ==19882== by 0x804F81A: Process(JSContext*, JSObject*, char*, int) (js.cpp:278) ==19882== by 0x8050088: ProcessArgs(JSContext*, JSObject*, char**, int) (js.cpp:518) ==19882== by 0x8050473: main (js.cpp:4030)
Flags: in-testsuite+
Flags: in-litmus-
Flags: blocking1.9.1?
Flags: blocking1.9.1? → blocking1.9.1+
The illegal instruction is the 'int $3' that allows a debugger to trap the breakpoint.
Er, assertion rather.
comment 0 is back.
finally finished the opt shell run with --smc-check=all and all these go away. the debug shell run is ongoing and the browser opt and debug runs are queued up after that, but unless something new comes up -> invalid. removing blocking flag.
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: blocking1.9.1+
Resolution: --- → INVALID
Bug #475876 has a patch to make TM work with Valgrind without requiring the --smc-check=all flag (which slows Valgrind down by about 2x).
You need to log in before you can comment on or make changes to this bug.