Closed
Bug 501275
Opened 16 years ago
Closed 16 years ago
TM: Crash [@ nanojit::Assembler::nPatchBranch]
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.2
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
| blocking1.9.1 | --- | .2+ |
| status1.9.1 | --- | .2-fixed |
People
(Reporter: jruderman, Assigned: gal)
Details
(4 keywords, Whiteboard: [sg:dos], fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
|
2.01 KB,
patch
|
dvander
:
review+
beltzner
:
approval1.9.1.2+
|
Details | Diff | Splinter Review |
for (let i = 0; i < 5; ++i) { i / (i * i); }
Crash [@ nanojit::Assembler::nPatchBranch]
|
Reporter | |
Comment 1•16 years ago
|
||
Does not affect the 1.9.1 branch.
|
Assignee | |
Updated•16 years ago
|
Assignee: general → gal
Severity: critical → major
Flags: blocking1.9.2?
Priority: -- → P2
Target Milestone: --- → mozilla1.9.2
|
||
Comment 2•16 years ago
|
||
autoBisect shows this is probably related to bug 498549 :
The first bad revision is:
changeset: 28992:434d3673d304
user: Andreas Gal
date: Wed Jun 17 08:06:21 2009 +0100
summary: If the result of a demoted multiplication is 0, must undemote or we lose -0 (498549, r=dvander).
Blocks: 498549
Keywords: regression
|
|
Assignee | |
Comment 3•16 years ago
|
||
Confirmed.
|
|
||
Comment 4•16 years ago
|
||
This bug is hurting the bug 465479 fuzzer significantly on all platforms.
OS: Mac OS X → All
Hardware: x86 → All
|
||
Updated•16 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
|
||
Comment 5•16 years ago
|
||
This can also be seen by visiting the stats page of a pro flickr account: http://crash-stats.mozilla.com/report/index/d7c28c82-ba85-4e5a-a07c-c757b2090718
|
|
Assignee | |
Comment 6•16 years ago
|
||
Attachment #389355 -
Flags: review?(dvander)
|
|
Assignee | |
Updated•16 years ago
|
Attachment #389355 -
Attachment is patch: true
Attachment #389355 -
Attachment mime type: application/octet-stream → text/plain
|
|
Assignee | |
Comment 7•16 years ago
|
||
498549 is a red herring. It allows the testcase to compile more efficiently than before, and contains a side exit that has one of its guards eliminated by the forward filter. We do link it in sideexit->guards though, and when a 2nd trace is attached to the side exit, we try to patch guardRecord->jmp, which is NULL (guard was eliminated and never emitted). Hilarity ensues.
This can be triggered prior to 498549, but not with the attached test case or anything similar to it. Even if, its a "safe" always-NULL crash, and probably really rare edge case.
The attached test-case only triggers on m-c and TM, not 1.9.1. I will not close this bug, but mark it [sg? dos], and ask for 3.5.2 approval.
|
|
Assignee | |
Updated•16 years ago
|
Attachment #389355 -
Flags: approval1.9.1.2?
|
|
Assignee | |
Comment 8•16 years ago
|
||
The patch is very low risk. This can go onto branch with minimum baking.
|
|
||
Updated•16 years ago
|
blocking1.9.1: --- → ?
|
|
Assignee | |
Updated•16 years ago
|
Whiteboard: [sg:dos]
|
|
Assignee | |
Comment 9•16 years ago
|
||
I reviewed all places where we emit guards and the new code in TM and m-c might be the only place that can actually trigger this (conceptually other things can trigger it, but we seem to never emit any other guards that can become redundant). So 1.9.1 is likely not affected, but the patch is so low risk and my analysis might be wrong, so definitively still want this in 3.5.2
|
|
||
Updated•16 years ago
|
Attachment #389355 -
Flags: review?(dvander) → review+
|
||
Updated•16 years ago
|
blocking1.9.1: ? → .2+
status1.9.1:
--- → wanted
|
||
Comment 10•16 years ago
|
||
Comment on attachment 389355 [details] [diff] [review]
Skip guard records attached to a side exit that ended up being eliminated
a1912=beltzner, I bet your analysis is right, but better safe than sorry. Watch out for that merge!
Attachment #389355 -
Flags: approval1.9.1.2? → approval1.9.1.2+
|
|
||
Comment 11•16 years ago
|
||
This needs to first be checked in to tracemonkey branch.
|
|
Assignee | |
Updated•16 years ago
|
Keywords: checkin-needed
|
|
||
Updated•16 years ago
|
Priority: P2 → P1
|
|
||
Updated•16 years ago
|
Keywords: checkin-needed
Whiteboard: [sg:dos] → [sg:dos], fixed-in-tracemonkey
|
|
||
Comment 13•16 years ago
|
||
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
||
Comment 14•16 years ago
|
||
|
||
Comment 15•16 years ago
|
||
the referenced test never failed on 1.9.1. it still doesn't on mac at least.
|
||
Comment 16•16 years ago
|
||
Based on comment 15, is it safe to mark this verified1.9.1?
|
|
||
Comment 17•16 years ago
|
||
Mass change: adding fixed1.9.2 keyword
(This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2
|
|
||
Updated•16 years ago
|
status1.9.2:
--- → beta1-fixed
Keywords: fixed1.9.2
|
|
||
Comment 19•16 years ago
|
||
testEliminatedGuardWithinAnchor
v 1.9.3, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
|
||
Updated•16 years ago
|
Flags: wanted1.9.0.x-
|
||
Updated•14 years ago
|
Crash Signature: [@ nanojit::Assembler::nPatchBranch]
You need to log in
before you can comment on or make changes to this bug.
Description
•