Firefox will crash on sparc platform when some website.

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: Leon Sha, Assigned: Leon Sha)

Tracking

({crash, verified1.9.1})

1.9.1 Branch
Sun
Solaris
crash, verified1.9.1
Points:
---

Firefox Tracking Flags

(status1.9.1 .2-fixed)

Details

(URL)

Attachments

(2 attachments)

15.38 KB, text/plain
Details
1.80 KB, patch
gal
: review+
Samuel Sidler (old account; do not CC)
: approval1.9.1.2+
Details | Diff | Splinter Review
(Assignee)

Description

8 years ago
Created attachment 388439 [details]
Stack trace of this crash

Visiting http://coastalmap.marine.usgs.gov/ArcIms/Website/usa/eastcoast/atlanticcoast/viewer.htm on sparc, firefox will crash. If jit is disabled, no crash.
(Assignee)

Comment 1

8 years ago
Created attachment 388440 [details] [diff] [review]
patch

Normally functions are executed one by one. In javascript engine with JIT enabled, there is a possibility that two functions are joint. The code can jump from one function to another. On sparc, the stack size is fixed when a function is generated. This bug happened when jumping from a small stack function (FUNC A) to a bug stack function(FUNC B). When this happened, the code running is belong to FUNC B, but actually it is still running in this FUNC A because there is no call or return happened. In the FUNC B there maybe some stack written activity happen which destroy the FUNC A's stack. The solution here is we do the same as X86 did. Add another line to decrease stack point after save. Every time we join the two functions we will re-calculate the stack point to meet the requirement. The code is much more like x86 now. The difference is that we don't need to restore the stack point before jump since we get the stack point directly from frame point. I have tested this patch to pass the trace-test.js and tamarin-redux acceptance test.
Assignee: general → leon.sha
Status: NEW → ASSIGNED
Attachment #388440 - Flags: review?(gal)
Severity: normal → critical
Keywords: crash
Version: unspecified → 1.9.1 Branch

Updated

8 years ago
Attachment #388440 - Flags: review?(gal) → review+
(Assignee)

Comment 2

8 years ago
http://hg.mozilla.org/tracemonkey/rev/22313a951d50
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Assignee)

Comment 3

8 years ago
Comment on attachment 388440 [details] [diff] [review]
patch

This is a NPOTB code change. Should be safe to land mozilla-1.9.1 branch. This bug will crash firefox on sparc.
Attachment #388440 - Flags: approval1.9.1.2?
Comment on attachment 388440 [details] [diff] [review]
patch

Approved for 1.9.1.2. a=NPOTB, aka ss.

Please land on mozilla-1.9.1 and use the ".2-fixed" option of the "status1.9.1" flag.
Attachment #388440 - Flags: approval1.9.1.2? → approval1.9.1.2+
(Assignee)

Comment 5

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/42b97b255405
status1.9.1: --- → .2-fixed
(Assignee)

Updated

8 years ago
Keywords: verified1.9.1
You need to log in before you can comment on or make changes to this bug.