Closed Bug 585714 Opened 15 years ago Closed 14 years ago

crash (assert) in nanojit: "LIR type error (start of writer pipeline): arg 1 of 'eqi' is 'callq' which has type int64 (expected int32): 0"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: bjacob, Unassigned)

References

Details

Attachments

(2 files)

Combined patch against tracemonkey, to reproduce the crash.
38.06 KB, patch
Details | Diff | Splinter Review
Disable traceable quickstubs with nsIVariant return type v1
2.90 KB, patch
luke
: review+
Details | Diff | Splinter Review
Hi, this is from bug 585199. Basically, here on linux x86-64, I get a crash when I allow a certain WebGL function to be quickstubbed. The WebGL function in question is WebGLContext::getShaderParameter and it is returning a nsIVariant. The crash occurs at line 57 of: https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/conformance/gl-uniform-arrays.html The JS code is: var compiled = ctx.getShaderParameter(shader, ctx.COMPILE_STATUS); 57 ---> if (!compiled) { Quote from IRC: [15:47] <dvander> bjacob, it seems like something returned a boolean but the tracer thinks there's some kind of 64-bit value Here's an updated backtrace. I am at fb0c72c4bfb3 + my local patches. (gdb) bt #0 0x000000381e0a6afd in nanosleep () at ../sysdeps/unix/syscall-template.S:82 #1 0x000000381e0a6970 in __sleep (seconds=0) at ../sysdeps/unix/sysv/linux/sleep.c:138 #2 0x00007f527d62390c in ah_crap_handler (signum=6) at /home/bjacob/mozilla-central/toolkit/xre/nsSigHandlers.cpp:132 #3 0x00007f527d6286c1 in nsProfileLock::FatalSignalHandler (signo=6, info= 0x7fff0235acf0, context=0x7fff0235abc0) at nsProfileLock.cpp:221 #4 <signal handler called> #5 0x000000381e80f30b in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #6 0x00007f527cc96fbe in avmplus::AvmAssertFail () at /home/bjacob/mozilla-central/js/src/nanojit/avmplus.cpp:78 #7 0x00007f527cc91cee in nanojit::ValidateWriter::typeCheckArgs (this= 0x7f526d833d28, op=nanojit::LIR_eqi, nArgs=2, formals=0x7fff0235b100, args= 0x7fff0235b0f0) at /home/bjacob/mozilla-central/js/src/nanojit/LIR.cpp:2829 #8 0x00007f527cc925fb in nanojit::ValidateWriter::ins2 (this=0x7f526d833d28, op=nanojit::LIR_eqi, a=0x7f5264af81a8, b=0x7f5264ade0c0) at /home/bjacob/mozilla-central/js/src/nanojit/LIR.cpp:3135 #9 0x00007f527cbd5ad3 in nanojit::LirWriter::ins2ImmI (this=0x7f526d833d28, v= nanojit::LIR_eqi, oprnd1=0x7f5264af81a8, imm=1) at /home/bjacob/mozilla-central/js/src/nanojit/LIR.h:1622 #10 0x00007f527cc5501e in js::TraceRecorder::record_JSOP_NOT (this= 0x7f5264ad1c00) at /home/bjacob/mozilla-central/js/src/jstracer.cpp:10841 #11 0x00007f527cc483f4 in js::TraceRecorder::monitorRecording (this= 0x7f5264ad1c00, op=JSOP_NOT) at /home/bjacob/mozilla-central/js/src/jsopcode.tbl:151 #12 0x00007f527cb2b2d5 in js::Interpret (cx=0x7f52708d4000) at /home/bjacob/mozilla-central/js/src/jsinterp.cpp:2475 #13 0x00007f527cb56075 in js::Execute (cx=0x7f52708d4000, chain= 0x7f5266c5d708, script=0x7f5265453000, down=0x0, flags=0, result=0x0) at /home/bjacob/mozilla-central/js/src/jsinterp.cpp:907 #14 0x00007f527cab17c9 in JS_EvaluateUCScriptForPrincipals (cx=0x7f52708d4000, obj=0x7f5266c5d708, principals=0x7f526b7471f8, chars=0x7f52652f6008, length=8531, filename= 0x7f526c65c428 "https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/conformance/gl-uniform-arrays.html", lineno=40, rval=0x0) at /home/bjacob/mozilla-central/js/src/jsapi.cpp:4765 #15 0x00007f527df15656 in nsJSContext::EvaluateString (this=0x7f526ba14a20, aScript=..., aScopeObject=0x7f5266c5d708, aPrincipal=0x7f526b7471f0, aURL= 0x7f526c65c428 "https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/conformance/gl-uniform-arrays.html", aLineNo=40, aVersion=0, aRetValue=0x0, aIsUndefined=0x7fff0235ce0c) at /home/bjacob/mozilla-central/dom/base/nsJSEnvironment.cpp:1811 #16 0x00007f527dc9131f in nsScriptLoader::EvaluateScript (this=0x7f5266e78ca0, aRequest=0x7f5267bbd6a0, aScript=...) at /home/bjacob/mozilla-central/content/base/src/nsScriptLoader.cpp:764 ---Type <return> to continue, or q <return> to quit--- #17 0x00007f527dc90ced in nsScriptLoader::ProcessRequest (this=0x7f5266e78ca0, aRequest=0x7f5267bbd6a0) at /home/bjacob/mozilla-central/content/base/src/nsScriptLoader.cpp:674 #18 0x00007f527dc908aa in nsScriptLoader::ProcessScriptElement (this= 0x7f5266e78ca0, aElement=0x7f526c7163e8) at /home/bjacob/mozilla-central/content/base/src/nsScriptLoader.cpp:614 #19 0x00007f527dc8d5e1 in nsScriptElement::MaybeProcessScript (this= 0x7f526c7163e8) at /home/bjacob/mozilla-central/content/base/src/nsScriptElement.cpp:195 #20 0x00007f527ddb4224 in nsHTMLScriptElement::MaybeProcessScript (this= 0x7f526c716380) at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLScriptElement.cpp:551 #21 0x00007f527ddb3eec in nsHTMLScriptElement::DoneAddingChildren (this= 0x7f526c716380, aHaveNotified=1) at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLScriptElement.cpp:479 #22 0x00007f527e0e9382 in nsHtml5TreeOpExecutor::RunScript (this= 0x7f526b740240, aScriptElement=0x7f526c716380) at /home/bjacob/mozilla-central/parser/html/nsHtml5TreeOpExecutor.cpp:726 #23 0x00007f527e0e89be in nsHtml5TreeOpExecutor::RunFlushLoop (this= 0x7f526b740240) at /home/bjacob/mozilla-central/parser/html/nsHtml5TreeOpExecutor.cpp:521 #24 0x00007f527e0ea14e in nsHtml5ExecutorReflusher::Run (this=0x7f5266d48740) at /home/bjacob/mozilla-central/parser/html/nsHtml5TreeOpExecutor.cpp:90 #25 0x00007f527ec47587 in nsThread::ProcessNextEvent (this=0x7f527b038d70, mayWait=0, result=0x7fff0235d7fc) at /home/bjacob/mozilla-central/xpcom/threads/nsThread.cpp:547 #26 0x00007f527ebd3fd5 in NS_ProcessNextEvent_P (thread=0x7f527b038d70, mayWait=0) at nsThreadUtils.cpp:250 #27 0x00007f527ea6fda2 in mozilla::ipc::MessagePump::Run (this=0x7f527b0af740, aDelegate=0x7f527b0da1c0) at /home/bjacob/mozilla-central/ipc/glue/MessagePump.cpp:118 #28 0x00007f527ecb01cd in MessageLoop::RunInternal (this=0x7f527b0da1c0) at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:219 #29 0x00007f527ecb0152 in MessageLoop::RunHandler (this=0x7f527b0da1c0) at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:202 #30 0x00007f527ecb00e3 in MessageLoop::Run (this=0x7f527b0da1c0) at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:176 #31 0x00007f527e914b19 in nsBaseAppShell::Run (this=0x7f52736e0a20) at /home/bjacob/mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:175 #32 0x00007f527e669455 in nsAppStartup::Run (this=0x7f5270fb3560) at /home/bjacob/mozilla-central/toolkit/components/startup/src/nsAppStartup.cpp:191 #33 0x00007f527d6157ef in XRE_main (argc=4, argv=0x7fff0235e458, aAppData= 0x7f527b0250f0) ---Type <return> to continue, or q <return> to quit--- at /home/bjacob/mozilla-central/toolkit/xre/nsAppRunner.cpp:3673 #34 0x0000000000401f4f in main (argc=4, argv=0x7fff0235e458) at /home/bjacob/mozilla-central/browser/app/nsBrowserApp.cpp:158
I wasn't able to get any assert on OS X 10.6 or 64-bit Ubuntu with TM tip. (Btw, to get either to run all the tests, I set webgl.enabled_for_all_sites;true and webgl.shader_validator;false.) Are you able to reproduce this error on TM?
Haven't tried TM yet, will try and report tomorrow. Just for the record --- you need to have the patch from bug 585199 applied, in order to get the crash.
(In reply to comment #2) > Just for the record --- you need to have the patch from bug 585199 applied, in > order to get the crash. Ah, missed that, thanks.
This patch against tracemonkey should compile cleanly and allow to reproduce the crash, if the issue exists in the tracemonkey tree. Still compiling here, will report once it's finished.
Awesome, with the patch from comment 4 applied to TM, it does build, and it does crash ;-) Assertion failure: LIR type error (start of writer pipeline): arg 1 of 'eqi' is 'callq' which has type int64 (expected int32): 0 (/home/bjacob/tracemonkey/js/src/nanojit/LIR.cpp:2834) back-trace: #0 0x000000381e0a6afd in nanosleep () at ../sysdeps/unix/syscall-template.S:82 #1 0x000000381e0a6970 in __sleep (seconds=0) at ../sysdeps/unix/sysv/linux/sleep.c:138 #2 0x00007fcaf85ee7fc in ah_crap_handler (signum=6) at /home/bjacob/tracemonkey/toolkit/xre/nsSigHandlers.cpp:132 #3 0x00007fcaf85f35b1 in nsProfileLock::FatalSignalHandler (signo=6, info= 0x7fffc2884430, context=0x7fffc2884300) at nsProfileLock.cpp:221 #4 <signal handler called> #5 0x000000381e80f30b in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #6 0x00007fcaf7c6178a in avmplus::AvmAssertFail () at /home/bjacob/tracemonkey/js/src/nanojit/avmplus.cpp:78 #7 0x00007fcaf7c5c4ba in nanojit::ValidateWriter::typeCheckArgs (this= 0x7fcae0460d28, op=nanojit::LIR_eqi, nArgs=2, formals=0x7fffc2884830, args= 0x7fffc2884820) at /home/bjacob/tracemonkey/js/src/nanojit/LIR.cpp:2829 #8 0x00007fcaf7c5cdc7 in nanojit::ValidateWriter::ins2 (this=0x7fcae0460d28, op=nanojit::LIR_eqi, a=0x7fcae04841a8, b=0x7fcae046b0c0) at /home/bjacob/tracemonkey/js/src/nanojit/LIR.cpp:3135 #9 0x00007fcaf7b9ff13 in nanojit::LirWriter::ins2ImmI (this=0x7fcae0460d28, v= nanojit::LIR_eqi, oprnd1=0x7fcae04841a8, imm=1) at /home/bjacob/tracemonkey/js/src/nanojit/LIR.h:1622 #10 0x00007fcaf7c1f7e2 in js::TraceRecorder::record_JSOP_NOT (this= 0x7fcae044e800) at /home/bjacob/tracemonkey/js/src/jstracer.cpp:10865 #11 0x00007fcaf7c12bb8 in js::TraceRecorder::monitorRecording (this= 0x7fcae044e800, op=JSOP_NOT) at /home/bjacob/tracemonkey/js/src/jsopcode.tbl:151 #12 0x00007fcaf7af47ba in js::Interpret (cx=0x7fcae74d2c00) at /home/bjacob/tracemonkey/js/src/jsinterp.cpp:2460 #13 0x00007fcaf7b1f60f in js::Execute (cx=0x7fcae74d2c00, chain= 0x7fcae5f7a708, script=0x7fcae0e9b000, down=0x0, flags=0, result=0x0) at /home/bjacob/tracemonkey/js/src/jsinterp.cpp:900 #14 0x00007fcaf7a7a66b in JS_EvaluateUCScriptForPrincipals (cx=0x7fcae74d2c00, obj=0x7fcae5f7a708, principals=0x7fcae1b204c8, chars=0x7fcae0f5a008, length=8531, filename= 0x7fcae5e09988 "https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/conformance/gl-uniform-arrays.html", lineno=40, rval=0x0) at /home/bjacob/tracemonkey/js/src/jsapi.cpp:4782 #15 0x00007fcaf8ee0546 in nsJSContext::EvaluateString (this=0x7fcae74522e0, aScript=..., aScopeObject=0x7fcae5f7a708, aPrincipal=0x7fcae1b204c0, aURL= 0x7fcae5e09988 "https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/conformance/gl-uniform-arrays.html", aLineNo=40, aVersion=0, aRetValue=0x0, aIsUndefined=0x7fffc288650c) at /home/bjacob/tracemonkey/dom/base/nsJSEnvironment.cpp:1811 #16 0x00007fcaf8c5c20f in nsScriptLoader::EvaluateScript (this=0x7fcae1b04400, aRequest=0x7fcae0e219a0, aScript=...) at /home/bjacob/tracemonkey/content/base/src/nsScriptLoader.cpp:764 ---Type <return> to continue, or q <return> to quit--- #17 0x00007fcaf8c5bbdd in nsScriptLoader::ProcessRequest (this=0x7fcae1b04400, aRequest=0x7fcae0e219a0) at /home/bjacob/tracemonkey/content/base/src/nsScriptLoader.cpp:674 #18 0x00007fcaf8c5b79a in nsScriptLoader::ProcessScriptElement (this= 0x7fcae1b04400, aElement=0x7fcae5e09308) at /home/bjacob/tracemonkey/content/base/src/nsScriptLoader.cpp:614 #19 0x00007fcaf8c584d1 in nsScriptElement::MaybeProcessScript (this= 0x7fcae5e09308) at /home/bjacob/tracemonkey/content/base/src/nsScriptElement.cpp:195 #20 0x00007fcaf8d7f114 in nsHTMLScriptElement::MaybeProcessScript (this= 0x7fcae5e092a0) at /home/bjacob/tracemonkey/content/html/content/src/nsHTMLScriptElement.cpp:551 #21 0x00007fcaf8d7eddc in nsHTMLScriptElement::DoneAddingChildren (this= 0x7fcae5e092a0, aHaveNotified=1) at /home/bjacob/tracemonkey/content/html/content/src/nsHTMLScriptElement.cpp:479 #22 0x00007fcaf90b4272 in nsHtml5TreeOpExecutor::RunScript (this= 0x7fcae72b7a80, aScriptElement=0x7fcae5e092a0) at /home/bjacob/tracemonkey/parser/html/nsHtml5TreeOpExecutor.cpp:726 #23 0x00007fcaf90b38ae in nsHtml5TreeOpExecutor::RunFlushLoop (this= 0x7fcae72b7a80) at /home/bjacob/tracemonkey/parser/html/nsHtml5TreeOpExecutor.cpp:521 #24 0x00007fcaf90b503e in nsHtml5ExecutorReflusher::Run (this=0x7fcae1b02120) at /home/bjacob/tracemonkey/parser/html/nsHtml5TreeOpExecutor.cpp:90 #25 0x00007fcaf9c132a7 in nsThread::ProcessNextEvent (this=0x7fcaf6037d70, mayWait=0, result=0x7fffc2886efc) at /home/bjacob/tracemonkey/xpcom/threads/nsThread.cpp:547 #26 0x00007fcaf9b9fcf5 in NS_ProcessNextEvent_P (thread=0x7fcaf6037d70, mayWait=0) at nsThreadUtils.cpp:250 #27 0x00007fcaf9a3bac2 in mozilla::ipc::MessagePump::Run (this=0x7fcaf60af800, aDelegate=0x7fcaf60da1c0) at /home/bjacob/tracemonkey/ipc/glue/MessagePump.cpp:118 #28 0x00007fcaf9c7beed in MessageLoop::RunInternal (this=0x7fcaf60da1c0) at /home/bjacob/tracemonkey/ipc/chromium/src/base/message_loop.cc:219 #29 0x00007fcaf9c7be72 in MessageLoop::RunHandler (this=0x7fcaf60da1c0) at /home/bjacob/tracemonkey/ipc/chromium/src/base/message_loop.cc:202 #30 0x00007fcaf9c7be03 in MessageLoop::Run (this=0x7fcaf60da1c0) at /home/bjacob/tracemonkey/ipc/chromium/src/base/message_loop.cc:176 #31 0x00007fcaf98e0839 in nsBaseAppShell::Run (this=0x7fcaedaf1270) at /home/bjacob/tracemonkey/widget/src/xpwidgets/nsBaseAppShell.cpp:175 #32 0x00007fcaf9635175 in nsAppStartup::Run (this=0x7fcaebfb3650) at /home/bjacob/tracemonkey/toolkit/components/startup/src/nsAppStartup.cpp:191 #33 0x00007fcaf85e06df in XRE_main (argc=4, argv=0x7fffc2887b58, aAppData= 0x7fcaf6027080) ---Type <return> to continue, or q <return> to quit--- at /home/bjacob/tracemonkey/toolkit/xre/nsAppRunner.cpp:3673 #34 0x0000000000401f4f in main (argc=4, argv=0x7fffc2887b58) at /home/bjacob/tracemonkey/browser/app/nsBrowserApp.cpp:158
blocking2.0: --- → betaN+
Thanks! With that patch I can reproduce. So, it looks like the problem is the use of a jsval parameter with a quickstubbed traceable native. Basically, nsICanvasRenderingContextWebGL_GetShaderParameter_tn is adding the case that bug 549143 comment 65 happily exclaimed did not exist. The surprising thing is that this doesn't generate a qsgen.py or domquickstubs.cpp compile error. So, to fix this, we need to either handle traceable-natives taking jsvals or find a way to not generate traceable natives for such quickstubs.
nsICanvasRenderingContextWebGL_GetShaderParameter_tn is using jsval for an "object or null" argument and returns an "object or null". Are you saying that's not supported for traceable natives?
Ok, you can completely ignore comment 6, I was confusing "jsval passed as the C++ type" and "jsval in the idl". The actual error is that the IDL for getShaderParameter indicates that it returns an nsIVariant, which the (non-specialized) quickstub converts to a bool (producing a JSVAL_IS_BOOL), while the specialized native declares that it returns an object-or-null. Thus, when the tracer uses the return value, it expects to find a bool but finds an object, which have different sizes, so nanojit asserts. I'm guessing this nsIVariant-to-primitive conversion is a special case for nsIVariant and so qsgen.py needs an analogous special case. What do you think Peter?
The problem is that we don't know what type the function returns. nsIVariant can hold all possible types, and it's not because it returned a bool once that the next call will return a bool too. It seems like we either need to disable traceable native for functions returning nsIVariant, or support traceable natives returning jsval.
I really wish we could make this work though.
Attachment #464761 - Flags: review?
Attachment #464761 - Flags: review? → review?(lw)
Whatever fix you check in, do you think this can get into mozilla-central quickly, or should I just use a work-around for now (just disable quickstubbing for methods returning nsIVariant?).
Comment on attachment 464761 [details] [diff] [review] Disable traceable quickstubs with nsIVariant return type v1 Maybe file a followup bug to add support for returning jsvals?
Attachment #464761 - Flags: review?(lw) → review+
(In reply to comment #12) > Comment on attachment 464761 [details] [diff] [review] > Disable traceable quickstubs with nsIVariant return type v1 > > Maybe file a followup bug to add support for returning jsvals? No "Maybe" there. /be
Filed bug 590930 for adding back support for these. http://hg.mozilla.org/mozilla-central/rev/c18082de18a4
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: