Closed Bug 587119 Opened 12 years ago Closed 12 years ago

JM: opening a 2nd input value popup in about:config crashes if tracing jit of chrome is enabled.


(Core :: JavaScript Engine, defect)

Not set





(Reporter: bugs, Unassigned)




(1 file)

Repeatedly reproducible.  Double-click on a string value in about:config, closed the popup.
Double-click on another one, crashes.

As with the other crasher I just filed, bug #587117, the bt for that thread was useless.

#0  0x00007fffde845c3e in ?? ()
... more 7fff ...
#11 0x0000000000000001 in ?? ()
#12 0x00007fffd002e400 in ?? ()
#13 0x0000000000000000 in ?? ()

Again, apologies for filing it in the wrong product - hopefully the template problem will be resolved eventually.
Assignee: marcia → general
Component: Bugzilla: Keywords & Components → JavaScript Engine
Product: → Core
QA Contact: timeless → general
Version: other → Trunk
Is this still happening? I just tried it now and it didn't crash.
It was happening as of ef8903b263d3 - retested it same time as the other bug.
x64 linux of course.

I'll retest on Monday when I get back to that computer aginst whatever jäger tip is at that point.
Oh, this is a bit silly, but you did enable method jit for chrome, right? :)
Reproduced in:
changeset:   51144:89b775191b9d
tag:         tip

Does require methodjit enabled for *chrome* and only reproduced so far on Linux 64 bit
OK, thanks for the additional info. I've been working mostly on x86, trying to get that all cleaned up, which is why I couldn't see it, but it's about x64 time now. We should look at this soon.
BTW, I'm not sure if he filed it, but jandem noticed that clicking on the Advanced tab in preferences also crashed if method jit of chrome was enabled.

I was able to reproduce this one as well.  Possibly related? Hard to tell w/ the useless backtrace.
(In reply to comment #6)
> BTW, I'm not sure if he filed it, but jandem noticed that clicking on the
> Advanced tab in preferences also crashed if method jit of chrome was enabled.

I told sstangl about it. He said that it looks like a PIC bug. I just tried this bug and it seems to be the same problem -- a mov (%somereg), (%otherreg) in PIC-like code.
I looked a bit closer at the asm, here's a snippet:

   0x7f23c6b78e3b:      jmpq   0x7f23c6015447
   0x7f23c6b78e40:      mov    0xe8(%rbx),%eax
=> 0x7f23c6b78e46:      mov    (%rax),%r10
   0x7f23c6b78e49:      mov    (%r10),%r10d
   0x7f23c6b78e4c:      cmp    $0x2858d,%r10d
   0x7f23c6b78e53:      jne    0x7f23c6017fb0
   0x7f23c6b78e59:      mov    0x18(%rax),%rax
   0x7f23c6b78e5d:      test   %rax,%rax
   0x7f23c6b78e60:      je     0x7f23c6017fb0
   0x7f23c6b78e66:      mov    (%rax),%r10
   0x7f23c6b78e69:      mov    (%r10),%r10d
   0x7f23c6b78e6c:      cmp    $0x2540a,%r10d

This looks like the code generated in GetPropCompiler::GenerateStub. It would make much more sense if eax is replaced by rax. The code that generates that line is PolyIC line 856 (line 1213 is similar): 

masm.load32(Address(JSFrameReg, pic.objRemat()), pic.objReg);

Shouldn't this be loadPtr? This explains the eax instead of rax and the x64-only crashes...
Attached patch PatchSplinter Review
After some discussion on IRC with sstangl we came up with this patch. It fixes both the Advanced tab in preferences and the about:config crash for me.
Attachment #466775 - Flags: review?(sstangl)
Attachment #466775 - Flags: review?(sstangl) → review+

Great find.
Closed: 12 years ago
Resolution: --- → FIXED
Jan wins: JM tip with the above two patches finally runs gmail on x64-opt.
You need to log in before you can comment on or make changes to this bug.