Closed Bug 476414 Opened 15 years ago Closed 15 years ago

TM: JSVAL_ERROR_COOKIE leaks into the heap

Tracking

()

Status:

VERIFIED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, fixed1.9.1, testcase)

Attachments

(3 files)

testcase e6.js 15 years ago Jesse Ruderman 842 bytes, text/javascript		Details
testcase f4.js 15 years ago Jesse Ruderman 1.37 KB, text/javascript		Details
debugging patch 15 years ago Jesse Ruderman 835 bytes, patch		Details \| Diff \| Splinter Review

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

15 years ago

gal> you can file a bug and make a note that we see 0x10, which is the JSVAL_ERROR_COOKIE the JIT uses
gal> if you see 0x10, the JIT code called something and that something had an error
gal> and signaled it
gal> not sure why it ends up being written back
gal> but I can add an exception to catch this earlier
gal> in jstracer.cpp
gal> in NativeToValue

Flags: blocking1.9.1?

Jesse Ruderman

Comment 1

•

15 years ago

Attached file testcase e6.js — Details

Takes 30 seconds, crashes in GetGCThingFlags (far from the problem), but shorter than the other testcase.

Jesse Ruderman

Comment 2

•

15 years ago

Attached file testcase f4.js — Details

Crashes in about 5 seconds, in js_NativeSet.

Jesse Ruderman

Comment 3

•

15 years ago

Attached patch debugging patch — Details — Splinter Review

Adding this assertion catches the problem earlier (with both testcases).

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Updated

•

15 years ago

Depends on: deepbail

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 4

•

15 years ago

(In reply to comment #1)
> Created an attachment (id=360050) [details]
> testcase e6.js

Crashes in js_NativeSet.

(In reply to comment #2)
> Created an attachment (id=360051) [details]
> testcase f4.js

Crashes in GetGCThingFlags (far from the problem).

(I'm pretty sure the descriptions should be reversed)

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 5

•

15 years ago

(In reply to comment #3)
> Created an attachment (id=360052) [details]
> debugging patch
> 
> Adding this assertion catches the problem earlier (with both testcases).

This landed?

http://hg.mozilla.org/tracemonkey/rev/0518ddc0215d

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 6

•

15 years ago

I ran a similar testcase using |export TRACEMONKEY=verbose| and here's the end-result:

===
/snip
--------------------------------------- end exit block 0x257580
    sti xt222[8] = i2f87
    ld122
    loop
              mov 8(ebx),eax                  eax(i2f87) ecx(eq191) ebx(xt222)
        0x2b9113:
              jmp 0x0                        
    0x2b9118  [epilogue]                     
              mov esp,ebp                    
              pop ebp                        
              pop ebp                        
              pop ebx                        
              pop esi                        
              pop edi                        
              ret                            
fragment 0x2b5a1c:
ENTRY: S0 S0 S0 S6 G6 
fragment 0x2b5ce0:
ENTRY: S0 S0 S0 S0 G6 
fragment 0x257058:
ENTRY: S0 S0 S0 S6 G0 
fragment 0x257320:
ENTRY: S0 S0 S0 S0 G0 
recording completed at ../2216-interesting.js:513@19 via closeLoop
Looking for compat peer 513@19, from 0x2b5a1c (ip: 0xc12cf0f, hits=5)
checking vm types 0x2b5a1c (ip: 0xc12cf0f): callee0=O/O this0=O/O stack0=O/O stack1=O/B bool != tag0
checking vm types 0x2b5ce0 (ip: 0xc12cf0f): callee0=O/O this0=O/O stack0=O/O stack1=O/O global0=O/B bool != tag0
checking vm types 0x257058 (ip: 0xc12cf0f): callee0=O/O this0=O/O stack0=O/O stack1=O/B bool != tag0
checking vm types 0x257320 (ip: 0xc12cf0f): callee0=O/O this0=O/O stack0=O/O stack1=O/O global0=O/O 
entering trace at ../2216-interesting.js:513@19, native stack slots: 5 code: 0x2b90a0
global: object<0x4db640:Object> 
stack: callee0=object<0x462a80:Function> this0=object<0x293000:global> stack0=object<0x4db680:Iterator> stack1=object<0x4db640:Object> 
leaving trace at ../2216-interesting.js:513@22, op=nextiter, lr=0x257530, exitType=3, sp=2, calldepth=0, cycles=26752
object<0x293000:global> 
callee0=object<0x462a80:Function> this0=object<0x293000:global> stack0=object<0x4db680:Iterator> stack1=box<e> 
Looking for compat peer 513@19, from 0x2b5a1c (ip: 0xc12cf0f, hits=5)
checking vm types 0x2b5a1c (ip: 0xc12cf0f): callee0=O/O this0=O/O stack0=O/O stack1=B/B global0=O/B bool != tag0
checking vm types 0x2b5ce0 (ip: 0xc12cf0f): callee0=O/O this0=O/O stack0=O/O stack1=B/O object != tag6
checking vm types 0x257058 (ip: 0xc12cf0f): callee0=O/O this0=O/O stack0=O/O stack1=B/B global0=O/O 
entering trace at ../2216-interesting.js:513@19, native stack slots: 5 code: 0x2b9120
global: object<0x293000:global> 
stack: callee0=object<0x462a80:Function> this0=object<0x293000:global> stack0=object<0x4db680:Iterator> stack1=boolean<1> 
leaving trace at ../2216-interesting.js:513@22, op=nextiter, lr=0x257268, exitType=3, sp=2, calldepth=0, cycles=7007
boolean<1> 
callee0=object<0x462a80:Function> this0=object<0x293000:global> stack0=object<0x4db680:Iterator> stack1=box<e> 
Looking for compat peer 513@19, from 0x2b5a1c (ip: 0xc12cf0f, hits=5)
checking vm types 0x2b5a1c (ip: 0xc12cf0f): callee0=O/O this0=O/O stack0=O/O stack1=B/B global0=B/B 
entering trace at ../2216-interesting.js:513@19, native stack slots: 5 code: 0x2b9230
global: boolean<1> 
stack: callee0=object<0x462a80:Function> this0=object<0x293000:global> stack0=object<0x4db680:Iterator> stack1=boolean<1> 
Internal error: getting top stack frame on trace.
Internal error: getting top stack frame on trace.
Internal error: getting top stack frame on trace.
Internal error: getting top stack frame on trace.
leaving trace at ../2216-interesting.js:513@23, op=ifne, lr=0x2b5f74, exitType=1, sp=3, calldepth=0, cycles=1696662
Bus error

Keywords: crash, testcase

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Updated

•

15 years ago

Blocks: 476427

Bob Clary [:bc] (inactive)

Comment 7

•

15 years ago

new assert covered by covered by js1_8/extensions/regress-455973.js

Robert Sayre

Updated

•

15 years ago

Flags: blocking1.9.1? → blocking1.9.1+

Priority: -- → P2

Andreas Gal :gal

Comment 8

•

15 years ago

Both attached test cases WFM with TM tip. I didn't check the tests bc reported but it should be the same issue. I would appreciate verification of both.

Status: NEW → RESOLVED

Closed: 15 years ago

Resolution: --- → WORKSFORME

Bob Clary [:bc] (inactive)

Comment 9

•

15 years ago

(In reply to comment #7)
> new assert covered by covered by js1_8/extensions/regress-455973.js

fixed by http://hg.mozilla.org/tracemonkey/rev/949044628792

Bob Clary [:bc] (inactive)

Comment 10

•

15 years ago

f4.js and e6.js (still running) do not assert for me either.

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 11

•

15 years ago

(In reply to comment #10)
> f4.js and e6.js (still running) do not assert for me either.

I'm having same results as bc. Verifying WFM.

Status: RESOLVED → VERIFIED

Flags: in-testsuite?

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 12

•

15 years ago

-> Fixed by bug 462027.

See:
https://bugzilla.mozilla.org/show_bug.cgi?id=475144#c9

Resolution: WORKSFORME → FIXED

Bob Clary [:bc] (inactive)

Comment 13

•

15 years ago

http://hg.mozilla.org/mozilla-central/rev/b474739c9cc2

Flags: in-testsuite?

Flags: in-testsuite+

Flags: in-litmus-

Robert Sayre

Updated

•

15 years ago

Keywords: fixed1.9.1

You need to log in before you can comment on or make changes to this bug.