Closed
Bug 476414
Opened 15 years ago
Closed 15 years ago
TM: JSVAL_ERROR_COOKIE leaks into the heap
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
VERIFIED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, fixed1.9.1, testcase)
Attachments
(3 files)
842 bytes,
text/javascript
|
Details | |
1.37 KB,
text/javascript
|
Details | |
835 bytes,
patch
|
Details | Diff | Splinter Review |
gal> you can file a bug and make a note that we see 0x10, which is the JSVAL_ERROR_COOKIE the JIT uses gal> if you see 0x10, the JIT code called something and that something had an error gal> and signaled it gal> not sure why it ends up being written back gal> but I can add an exception to catch this earlier gal> in jstracer.cpp gal> in NativeToValue
Flags: blocking1.9.1?
Comment 1•15 years ago
|
||
Takes 30 seconds, crashes in GetGCThingFlags (far from the problem), but shorter than the other testcase.
Comment 2•15 years ago
|
||
Crashes in about 5 seconds, in js_NativeSet.
Comment 3•15 years ago
|
||
Adding this assertion catches the problem earlier (with both testcases).
Reporter | ||
Comment 4•15 years ago
|
||
(In reply to comment #1) > Created an attachment (id=360050) [details] > testcase e6.js Crashes in js_NativeSet. (In reply to comment #2) > Created an attachment (id=360051) [details] > testcase f4.js Crashes in GetGCThingFlags (far from the problem). (I'm pretty sure the descriptions should be reversed)
Reporter | ||
Comment 5•15 years ago
|
||
(In reply to comment #3) > Created an attachment (id=360052) [details] > debugging patch > > Adding this assertion catches the problem earlier (with both testcases). This landed? http://hg.mozilla.org/tracemonkey/rev/0518ddc0215d
Reporter | ||
Comment 6•15 years ago
|
||
I ran a similar testcase using |export TRACEMONKEY=verbose| and here's the end-result: === /snip --------------------------------------- end exit block 0x257580 sti xt222[8] = i2f87 ld122 loop mov 8(ebx),eax eax(i2f87) ecx(eq191) ebx(xt222) 0x2b9113: jmp 0x0 0x2b9118 [epilogue] mov esp,ebp pop ebp pop ebp pop ebx pop esi pop edi ret fragment 0x2b5a1c: ENTRY: S0 S0 S0 S6 G6 fragment 0x2b5ce0: ENTRY: S0 S0 S0 S0 G6 fragment 0x257058: ENTRY: S0 S0 S0 S6 G0 fragment 0x257320: ENTRY: S0 S0 S0 S0 G0 recording completed at ../2216-interesting.js:513@19 via closeLoop Looking for compat peer 513@19, from 0x2b5a1c (ip: 0xc12cf0f, hits=5) checking vm types 0x2b5a1c (ip: 0xc12cf0f): callee0=O/O this0=O/O stack0=O/O stack1=O/B bool != tag0 checking vm types 0x2b5ce0 (ip: 0xc12cf0f): callee0=O/O this0=O/O stack0=O/O stack1=O/O global0=O/B bool != tag0 checking vm types 0x257058 (ip: 0xc12cf0f): callee0=O/O this0=O/O stack0=O/O stack1=O/B bool != tag0 checking vm types 0x257320 (ip: 0xc12cf0f): callee0=O/O this0=O/O stack0=O/O stack1=O/O global0=O/O entering trace at ../2216-interesting.js:513@19, native stack slots: 5 code: 0x2b90a0 global: object<0x4db640:Object> stack: callee0=object<0x462a80:Function> this0=object<0x293000:global> stack0=object<0x4db680:Iterator> stack1=object<0x4db640:Object> leaving trace at ../2216-interesting.js:513@22, op=nextiter, lr=0x257530, exitType=3, sp=2, calldepth=0, cycles=26752 object<0x293000:global> callee0=object<0x462a80:Function> this0=object<0x293000:global> stack0=object<0x4db680:Iterator> stack1=box<e> Looking for compat peer 513@19, from 0x2b5a1c (ip: 0xc12cf0f, hits=5) checking vm types 0x2b5a1c (ip: 0xc12cf0f): callee0=O/O this0=O/O stack0=O/O stack1=B/B global0=O/B bool != tag0 checking vm types 0x2b5ce0 (ip: 0xc12cf0f): callee0=O/O this0=O/O stack0=O/O stack1=B/O object != tag6 checking vm types 0x257058 (ip: 0xc12cf0f): callee0=O/O this0=O/O stack0=O/O stack1=B/B global0=O/O entering trace at ../2216-interesting.js:513@19, native stack slots: 5 code: 0x2b9120 global: object<0x293000:global> stack: callee0=object<0x462a80:Function> this0=object<0x293000:global> stack0=object<0x4db680:Iterator> stack1=boolean<1> leaving trace at ../2216-interesting.js:513@22, op=nextiter, lr=0x257268, exitType=3, sp=2, calldepth=0, cycles=7007 boolean<1> callee0=object<0x462a80:Function> this0=object<0x293000:global> stack0=object<0x4db680:Iterator> stack1=box<e> Looking for compat peer 513@19, from 0x2b5a1c (ip: 0xc12cf0f, hits=5) checking vm types 0x2b5a1c (ip: 0xc12cf0f): callee0=O/O this0=O/O stack0=O/O stack1=B/B global0=B/B entering trace at ../2216-interesting.js:513@19, native stack slots: 5 code: 0x2b9230 global: boolean<1> stack: callee0=object<0x462a80:Function> this0=object<0x293000:global> stack0=object<0x4db680:Iterator> stack1=boolean<1> Internal error: getting top stack frame on trace. Internal error: getting top stack frame on trace. Internal error: getting top stack frame on trace. Internal error: getting top stack frame on trace. leaving trace at ../2216-interesting.js:513@23, op=ifne, lr=0x2b5f74, exitType=1, sp=3, calldepth=0, cycles=1696662 Bus error
Comment 7•15 years ago
|
||
new assert covered by covered by js1_8/extensions/regress-455973.js
Updated•15 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Comment 8•15 years ago
|
||
Both attached test cases WFM with TM tip. I didn't check the tests bc reported but it should be the same issue. I would appreciate verification of both.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Comment 9•15 years ago
|
||
(In reply to comment #7) > new assert covered by covered by js1_8/extensions/regress-455973.js fixed by http://hg.mozilla.org/tracemonkey/rev/949044628792
Comment 10•15 years ago
|
||
f4.js and e6.js (still running) do not assert for me either.
Reporter | ||
Comment 11•15 years ago
|
||
(In reply to comment #10) > f4.js and e6.js (still running) do not assert for me either. I'm having same results as bc. Verifying WFM.
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
Reporter | ||
Comment 12•15 years ago
|
||
-> Fixed by bug 462027. See: https://bugzilla.mozilla.org/show_bug.cgi?id=475144#c9
Resolution: WORKSFORME → FIXED
Comment 13•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/b474739c9cc2
Flags: in-testsuite?
Flags: in-testsuite+
Flags: in-litmus-
Updated•15 years ago
|
Keywords: fixed1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•