JM: opening a 2nd input value popup in about:config crashes if tracing jit of chrome is enabled.

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: nemo, Unassigned)

Tracking

Trunk
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
Repeatedly reproducible.  Double-click on a string value in about:config, closed the popup.
Double-click on another one, crashes.

As with the other crasher I just filed, bug #587117, the bt for that thread was useless.

#0  0x00007fffde845c3e in ?? ()
... more 7fff ...
#11 0x0000000000000001 in ?? ()
#12 0x00007fffd002e400 in ?? ()
#13 0x0000000000000000 in ?? ()

Again, apologies for filing it in the wrong product - hopefully the template problem will be resolved eventually.

Updated

7 years ago
Assignee: marcia → general
Component: Bugzilla: Keywords & Components → JavaScript Engine
Product: mozilla.org → Core
QA Contact: timeless → general
Version: other → Trunk
Blocks: 562996
Is this still happening? I just tried it now and it didn't crash.
(Reporter)

Comment 2

7 years ago
It was happening as of ef8903b263d3 - retested it same time as the other bug.
x64 linux of course.

I'll retest on Monday when I get back to that computer aginst whatever j├Ąger tip is at that point.
(Reporter)

Comment 3

7 years ago
Oh, this is a bit silly, but you did enable method jit for chrome, right? :)
(Reporter)

Comment 4

7 years ago
Reproduced in:
changeset:   51144:89b775191b9d
tag:         tip

Does require methodjit enabled for *chrome* and only reproduced so far on Linux 64 bit
OK, thanks for the additional info. I've been working mostly on x86, trying to get that all cleaned up, which is why I couldn't see it, but it's about x64 time now. We should look at this soon.
(Reporter)

Comment 6

7 years ago
BTW, I'm not sure if he filed it, but jandem noticed that clicking on the Advanced tab in preferences also crashed if method jit of chrome was enabled.

I was able to reproduce this one as well.  Possibly related? Hard to tell w/ the useless backtrace.
(In reply to comment #6)
> BTW, I'm not sure if he filed it, but jandem noticed that clicking on the
> Advanced tab in preferences also crashed if method jit of chrome was enabled.

I told sstangl about it. He said that it looks like a PIC bug. I just tried this bug and it seems to be the same problem -- a mov (%somereg), (%otherreg) in PIC-like code.
I looked a bit closer at the asm, here's a snippet:

   0x7f23c6b78e3b:      jmpq   0x7f23c6015447
   0x7f23c6b78e40:      mov    0xe8(%rbx),%eax
=> 0x7f23c6b78e46:      mov    (%rax),%r10
   0x7f23c6b78e49:      mov    (%r10),%r10d
   0x7f23c6b78e4c:      cmp    $0x2858d,%r10d
   0x7f23c6b78e53:      jne    0x7f23c6017fb0
   0x7f23c6b78e59:      mov    0x18(%rax),%rax
   0x7f23c6b78e5d:      test   %rax,%rax
   0x7f23c6b78e60:      je     0x7f23c6017fb0
   0x7f23c6b78e66:      mov    (%rax),%r10
   0x7f23c6b78e69:      mov    (%r10),%r10d
   0x7f23c6b78e6c:      cmp    $0x2540a,%r10d

This looks like the code generated in GetPropCompiler::GenerateStub. It would make much more sense if eax is replaced by rax. The code that generates that line is PolyIC line 856 (line 1213 is similar): 

masm.load32(Address(JSFrameReg, pic.objRemat()), pic.objReg);

Shouldn't this be loadPtr? This explains the eax instead of rax and the x64-only crashes...
Created attachment 466775 [details] [diff] [review]
Patch

After some discussion on IRC with sstangl we came up with this patch. It fixes both the Advanced tab in preferences and the about:config crash for me.
Attachment #466775 - Flags: review?(sstangl)

Updated

7 years ago
Attachment #466775 - Flags: review?(sstangl) → review+
http://hg.mozilla.org/projects/jaegermonkey/rev/a8bba14743be

Great find.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Fixes similar problems:

http://hg.mozilla.org/projects/jaegermonkey/rev/31db2f636fdc
Jan wins: JM tip with the above two patches finally runs gmail on x64-opt.
You need to log in before you can comment on or make changes to this bug.