Closed Bug 469012 Opened 13 years ago Closed 13 years ago

TM: Crash [@nanojit::LirBufWriter::insLinkToFar] - ecma/FunctionObjects/15.3.5-1.js - ecma/FunctionObjects/15.3.2.1-3.js

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: bc, Assigned: graydon)

References

()

Details

(4 keywords)

Crash Data

Attachments

(1 file)

visit http://test.bclary.com/tests/mozilla.org/js/js-test-driver-standards.html?test=ecma%2FFunctionObjects%2F15.3.1.1-3.js;language=type;text/javascript;jit

with tracemonkey build. Crash nanojit::LirBufWriter::insLinkToFar  	js/src/nanojit/LIR.cpp:198 

http://crash-stats.mozilla.com/report/index/8e9e4cb1-e6df-4507-b382-d764d2081210
Flags: in-testsuite+
Flags: in-litmus-
Flags: blocking1.9.1?
Severity: normal → critical
Rick, It appears that http://hg.mozilla.org/tracemonkey/rev/2274c22d3611 is the regression changset. This landed on tm on Dec 9, but it landed on mc on Nov 14. I don't think I've seen this on mc.
Assertion failed: _buf->_thresholdPage (/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/nanojit/LIR.cpp:161)
Summary: TM: Crash [@nanojit::LirBufWriter::insLinkToFar] → TM: Crash [@nanojit::LirBufWriter::insLinkToFar] - ecma/FunctionObjects/15.3.5-1.js - ecma/FunctionObjects/15.3.2.1-3.js
I got the same crash today while on gmail.

http://crash-stats.mozilla.com/report/index/32918212-7069-4f84-b437-e76792081216
@ nanojit::LirBufWriter::insLinkTo(nanojit::LOpcode, nanojit::LIns*) js/src/nanojit/LIR.cpp:189
Flags: blocking1.9.1? → blocking1.9.1+
Attached patch Fix the bugSplinter Review
The code as written assumes that one will be approaching the end of a page in small increments and therefore the tests will transition from not-passing to passing in a particular order: first no tests will pass (you're >256 slots from the end of the page), then the outer test alone will pass (you're within 256 slots, but not stepping over the edge) but not the inner one, and then finally the inner test will pass (you're stepping over the edge). Tracemonkey sometimes writes large stack snapshots into LIR buffers (native stack snapshots) so we violate the assumption: we go from "not near the end" to "stepping over the edge" in a single state transition, which it can't handle. It has no threshold page is allocated by the time we're at the edge, and we crash.

Solution is minor: move the test order around so it doesn't assume this progression. Allocate the threshold page as soon as we're getting close by any measure.
Assignee: general → graydon
Status: NEW → ASSIGNED
Attachment #353763 - Flags: review?(gal)
Attachment #353763 - Flags: review?(gal) → review?(danderson)
Attachment #353763 - Flags: review?(danderson) → review+
http://hg.mozilla.org/tracemonkey/rev/a86e8c84e2ee
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Duplicate of this bug: 471259
Has this been merged to the main trunk yet?  (did it ever exist there?)
yes it did exist there, but the last failure on trunk was on 2008-12-26.
verified fixed
Status: RESOLVED → VERIFIED
Duplicate of this bug: 472299
Crash Signature: [@nanojit::LirBufWriter::insLinkToFar]
You need to log in before you can comment on or make changes to this bug.