Closed Bug 504797 Opened 16 years ago Closed 16 years ago

Crash on Google Docs with jit enabled

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.3a1
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed

People

(Reporter: sylvain.pasche, Assigned: dmandelin)

References

(
URL
)

Details

(4 keywords, Whiteboard: fixed-in-tracemonkey)

Attachments

(3 files, 3 obsolete files)

Shell test case
175 bytes, application/x-javascript
Details
Stopgap patch 2
1.15 KB, patch
Details | Diff | Splinter Review
Patch 2 (forgot test case last time)
17.55 KB, patch
gal
: review+
Details | Diff | Splinter Review
If you load or create a new Google Docs document on http://docs.google.com with jit on, you get the unresponsive script dialog with: Script: http://docs.google.com/js/791001784-EditPage.js:15 with jit off it doesn't happen. m-c regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b9012a18d2c6&tochange=9b4dd06e1c9d tracemonkey regression range: http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=14ae4c00c420&tochange=700866ae679d
Flags: blocking1.9.2?
in the same regression window (maybe a duplicate of this one): bug 505516
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
It's now crashing since 2009-08-26-04: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b712ab888d9b&tochange=485a319ce5e6
Severity: major → critical
Keywords: crash
Summary: Unresponsive script warning on Google Docs with jit enabled → Crash on Google Docs with jit enabled
We are going to need some bisecting here. There are 132 TM changesets in that window.
It doesn't crash on Linux apparently (there is still the unresponsive script dialog there).
I am guessing upvar on trace.
Assignee: general → dmandelin
The first regression, when it started becoming unresponsive, came here: changeset: 30020:c76558a87dd9 user: David Mandelin <dmandelin@mozilla.com> date: Wed Jul 08 11:16:41 2009 -0700 summary: Bug 453730: trace JSOP_ARGUMENTS, r=gal
The crash, which started at a later time, seems to occur because in array_slice, the new array nobj (in the non-dense path at the bottom of the function) gets gc'd during the loop that sets up its values. That's pretty surprising, but it doesn't seem to be the source of the problem: if I use a JSAutoTempValueRooter on nobj, the crash goes away, and I do eventually get a Google Docs window, but only after a 10+ seconds. The slowness appears to be related somehow to tracing JSOP_ARGUMENTS, but I haven't figured that out yet.
Attached file Shell test case
This is a shell test case that behaves differently in jit vs. browser. I believe it is due to the same bug. (Bisection showed that the problem started when JSOP_ARGUMENTS started being traced. I modified TM to print out PCs where JSOP_ARGUMENTS was executed. I discovered that the program worked fine if I made a certain one abort. I then looked at the Google code for that PC and wrote some similar shell code. This was also based on a hunch that the problem was related to passing |arguments| objects created on trace to builtins.)
Attached patch Stopgap patch (obsolete) — Splinter Review
This patch fixes the Google Docs bug, but some related issue remain. I'd like to do those as a separate bug, if that's OK, and push this first to fix things up for nightly users. The basic problem is that arguments objects created on trace don't have a frame pointer (because there is no frame), so to the arguments property getter/setter code, they look like arguments objects from returned functions. This is a problem for builtins at least, and perhaps other code too. The stopgap just checks for arguments objects being passed to builtins at record time and aborts.
Attachment #397967 - Flags: review?(jorendorff)
Attached patch Stopgap patch 2Splinter Review
Forgot to reformat the test case.
Attachment #397967 - Attachment is obsolete: true
Attachment #397975 - Flags: review?
Attachment #397967 - Flags: review?(jorendorff)
Attachment #397975 - Flags: review? → review?(jorendorff)
(In reply to comment #10) > Stopgap patch > > This patch fixes the Google Docs bug, but some related issue remain. I'd like > to do those as a separate bug, if that's OK, and push this first to fix things > up for nightly users. Out of curiosity, does your patch happen to also fix the issue from sister- bug 505516 (via comment #1) in which Google Spreadsheets' navigation bar is grayed out?
(In reply to comment #12) > (In reply to comment #10) > > Stopgap patch > > > > This patch fixes the Google Docs bug, but some related issue remain. I'd like > > to do those as a separate bug, if that's OK, and push this first to fix things > > up for nightly users. > > Out of curiosity, does your patch happen to also fix the issue from sister- bug > 505516 (via comment #1) in which Google Spreadsheets' navigation bar is grayed > out? Seems to.
Attached patch WIP real fix (obsolete) — Splinter Review
This patch (supposedly) works in general and can stay on trace for almost all cases of getting an argument through natives. The basic idea is to set the |private| member for trace-created arguments objects to a struct that contains a pointer to the arguments area of the native stack and a typemap for said area. The getter for Arguments can then use that to get the value and box it to a jsval. Currently this is running on try, but my main question about it is whether doing the deep bail as I do in the getter (for the oom-on-alloc-double case) and the setter (for all cases) is correct.
Attached patch Patch (obsolete) — Splinter Review
This is a full fix: Arguments objects created on trace get a specially tagged private pointer to the arguments area, and the getter is updated to use it.
Attachment #398051 - Attachment is obsolete: true
Attachment #398504 - Flags: review?(gal)
Attachment #398504 - Attachment is obsolete: true
Attachment #398506 - Flags: review?(gal)
Attachment #398504 - Flags: review?(gal)
Comment on attachment 397975 [details] [diff] [review] Stopgap patch 2 Looks pretty sketchy to me. :) If you still think it's necessary, ping me on IRC and we can land this, but if the complete fix is ready today, I'd rather see that land.
Attachment #397975 - Flags: review?(jorendorff)
(In reply to comment #17) > (From update of attachment 397975 [details] [diff] [review]) > Looks pretty sketchy to me. :) > > If you still think it's necessary, ping me on IRC and we can land this, but if > the complete fix is ready today, I'd rather see that land. Yes, the plan is now just to land the complete fix.
Attachment #398506 - Flags: review?(gal) → review+
Comment on attachment 398506 [details] [diff] [review] Patch 2 (forgot test case last time) >+ >+// This function uses a type defined only if tracing is enabled. Not sure we need that comment. > if (arg < GetArgsLength(obj)) { >+// This type is defined only if tracing is enabled. dito Love the template hack for the double OOM handling.
Comment on attachment 398506 [details] [diff] [review] Patch 2 (forgot test case last time) >+struct ReserveDoubleOOMHandler { >+ static bool handleDoubleOOM(JSContext *cx, double d, jsval& v) >+ { Love this template traits stuff, but nit: inline method style puts qualifiers, type, declarator and { all on the same line where they fit. Matches the zero-inheritance { style for the struct head. /be
Pushed to TM with nits fixed as 277d2b2e2384.
Whiteboard: fixed-in-tracemonkey
Regression in unit tests: trace-test/tests/basic/inArrayTest.js: trace-test/tests/basic/inArrayTest.js:9: TypeError: Assertion failed: got 10, expected 104 Maybe back this out?
dave?
I don't see the regression on any other platform on the waterfall and the patch and the test case seem very unrelated.
I couldn't reproduce this on Linux.
mac tinderbox is also failing now. I can't reproduce this on mac either.
(In reply to comment #22) > Regression in unit tests: > > trace-test/tests/basic/inArrayTest.js: trace-test/tests/basic/inArrayTest.js:9: > TypeError: Assertion failed: got 10, expected 104 > > Maybe back this out? [Forehead slap.] I changed the 'expect' to 104 to test a minor fix to the tinderbox output for trace-test.py and accidentally committed that as part of this patch. Looks like it got fixed already.
Can we get TM merged to trunk soon so I can actually use Google Docs, please? :)
P1 now.
Priority: P2 → P1
sayrer usually does the merge but he's on vacation until Monday. Does anyone know his merge procedure?
from a tracemonkey tree: hg pull -u http://hg.mozilla.org/mozilla-central hg merge hg commit ... builds, green tinderboxes ... from a mozilla-central tree: hg pull -u http://hg.mozilla.org/tracemonkey hg merge hg commit
http://hg.mozilla.org/mozilla-central/rev/277d2b2e2384
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Verified fixed on trunk with builds on all platforms like Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.3a1pre) Gecko/20090920 Minefield/3.7a1pre ID:20090920031129
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
Target Milestone: --- → mozilla1.9.3a1
Verified fixes on 1.9.2 with builds on all platforms like Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2b1pre) Gecko/20091004 Namoroka/3.6b1pre ID:20091004033636
Keywords: testcase-wantedtestcase, verified1.9.2
js/src/trace-test/tests/basic/argumentsPassedToBuiltin.js
Flags: in-testsuite? → in-testsuite+
Depends on: 523370
Blocks: 505584
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: