Closed
Bug 635617
Opened 14 years ago
Closed 14 years ago
64-bit crash [@ MakeDay]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla8
People
(Reporter: chofmann, Assigned: m_kato)
References
Details
(Keywords: topcrash, Whiteboard: [fixed-in-tracemonkey])
Crash Data
Attachments
(3 files, 2 obsolete files)
|
782 bytes,
patch
|
Details | Diff | Splinter Review | |
|
1.30 KB,
text/plain
|
Details | |
|
4.50 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-c0e3dc2e-c404-4598-b1d1-024ac2110220 .
=============================================================
looks like this crash might have been around for awhile, but in the last couple of days there has been a slight bump in volume
MakeDay
date total breakdown by build
crashes count build, count build, ...
20110213 2 1 4.0b82010121417,
1 3.6.132010120307,
20110214
20110215 1 4.0b12pre2011021403 1 ,
20110216 1 4.0b12pre2011021603 1 ,
20110217 1 4.0b12pre2011021703 1 ,
20110218 1 4.0b12pre2011021803 1 ,
20110219 7 4 4.0b12pre2011021814,
3 4.0b12pre2011021903,
stacks mostly look like this, but there a few other variations
0 mozjs.dll MakeDay js/src/jsdate.cpp:365
1 mozjs.dll date_parseString js/src/jsdate.cpp:1141
2 mozjs.dll js_Date js/src/jsdate.cpp:2551
3 mozjs.dll js::InvokeConstructor js/src/jsinterp.cpp:1231
4 mozjs.dll js::Interpret js/src/jsinterp.cpp:4616
5 xul.dll nsIFrame::InvalidateInternalAfterResize layout/generic/nsFrame.cpp:4143
more reports at
https://crash-stats.mozilla.com/report/list?signature=MakeDay
looks like the code in the area has changed a bit over the last few weeks and months so there might be a possible low volume regression.
|
||
Comment 1•14 years ago
|
||
From 4.0b10pre/20110125, it is 64-bit build specific.
> but there a few other variations
The other stack trace looks like:
0 mozjs.dll MakeDay js/src/jsdate.cpp:365
1 mozjs.dll js_DoubleToInteger js/src/jsnum.h:603
2 mozjs.dll date_msecFromArgs js/src/jsdate.cpp:611
3 mozjs.dll js_GetPropertyHelper js/src/jsobj.cpp:5463
4 mozjs.dll js_LookupPropertyWithFlags js/src/jsobj.cpp:5034
5 mozjs.dll js_Date js/src/jsdate.cpp:2558
6 mozjs.dll js::InvokeConstructor js/src/jsinterp.cpp:1230
7 mozjs.dll js::Interpret js/src/jsinterp.cpp:4654
OS: Windows NT → Windows 7
Hardware: All → x86_64
Summary: crash [@ MakeDay] → 64-bit crash [@ MakeDay]
Version: unspecified → Trunk
|
Assignee | |
Comment 2•14 years ago
|
||
This is strange crash. But this may be http://support.microsoft.com/kb/982107
|
||
Comment 3•14 years ago
|
||
Here's a patch for MakeDay().
It removes this fmod() call which was useless anyway. It also removes the "if (month < 0) month += 12;".
If the fmod bug was the cause of this crash (I don't know), then it would fix the crash.
Attachment #515074 -
Flags: review?
|
|
||
Comment 4•14 years ago
|
||
CC'ing Jeff and Nick because `hg annotate` says they last made changes around there. Can you review my patch?
|
||
Comment 5•14 years ago
|
||
Wrong Jeff. :-)
|
|
||
Comment 6•14 years ago
|
||
So, um. Am I misreading this wrong when I see it (with or without patch) as, first thing, doing += on an uninitialized |year| variable?
|
|
||
Comment 7•14 years ago
|
||
year is passed as argument to this function.
|
|
||
Comment 8•14 years ago
|
||
So, yes, I am misreading this. Quit horribly! :-) Looking harder at this.
|
|
||
Comment 9•14 years ago
|
||
Ignoring the merits of the changes for possibly fixing a crash, this makes the algorithm deviate from the MakeDay algorithm in ES5 15.9.1.12 even more than the current algorithm does, further hindering analysis of its correctness. That seems not cool to me. If we did it more like the spec, integer-izing everything as a first pass, we could not have to worry about potential fmod bugs. Right? For the number of crashes here, I don't see an imperative to fix this in a way that does things less like the spec, when doing them more like the spec would apparently also avoid the MS fmod bug and would be easier to analyze as correct.
|
|
||
Comment 10•14 years ago
|
||
I don't think that my patch introduces any numerical difference. It just replaces
result = fmod(x, 12.0)
if (result < 0) result += 12;
by
result = x - 12.0 * floor(x / 12.0)
The attached test program shows that that doesn't make any difference as long as the double values don't stay in extended 80bit registers on x87.
The spec does prescribe using fmod(), but do we really have to follow it literally, especially if this doesn't change the result? It tells us to do 3 operations: division, floor, fmod. That's redundant! The fmod result follows from the result of the division/floor operation.
|
|
||
Comment 11•14 years ago
|
||
To clarify about the 80bit registers thing --- note that this can easily even make a condition of the form
expression == expression
be false, if the result of evaluating |expression| was once kept in registers (80bit) and once stored in memory (64bit). Just clarifying that I'm not cheating here :)
|
|
||
Comment 12•14 years ago
|
||
I agree it doesn't introduce numerical difference. What I'm saying is having the implementation algorithm read like the spec algorithm, even if it's a little redundant, pays off so long as the code is not super-performance-sensitive. Readability counts, notably for verifying correctness. I don't see MakeDay as a performance-sensitive method, not to the level where an extra FPU operation or two would show up outside (maybe) a micro-benchmark. If you could demonstrate otherwise, of course, that'd be a different matter.
|
|
||
Comment 13•14 years ago
|
||
Updated test program testing 1000x bigger numbers --- still no difference.
Attachment #515233 -
Attachment is obsolete: true
|
|
||
Comment 14•14 years ago
|
||
(In reply to comment #12)
> I agree it doesn't introduce numerical difference. What I'm saying is having
> the implementation algorithm read like the spec algorithm, even if it's a
> little redundant, pays off so long as the code is not
> super-performance-sensitive. Readability counts, notably for verifying
> correctness. I don't see MakeDay as a performance-sensitive method, not to the
> level where an extra FPU operation or two would show up outside (maybe) a
> micro-benchmark. If you could demonstrate otherwise, of course, that'd be a
> different matter.
Ah OK. Sure! Didn't want to bother you with premature optimization. So, assuming that the bug is indeed with fmod(), what's the fix going to look like? Wes from #jsapi pointed me to the js_fmod() function and mentioned that there were 5 other occurrences of fmod() around there. Should we just replace them by js_fmod() ?
|
|
||
Comment 15•14 years ago
|
||
js_fmod just funnels to fmod (usually), so that's probably not adequate and/or sufficient. I'm not entirely sure what would be, offhand. Dates aren't really my specialty (not to say they're anyone else's, tho), and the change you saw in revision logs was probably a systemic fix which didn't have much to do with dates or times or chronological calculation.
We don't even know if the MS fmod bug is what's at fault, do we? Really wishing we had a testcase right now. Also, looking at the crash reports, half of them seem to have half-busted stacks: js_GetPropertyHelper or js::Shape::get as the caller for MakeDay, and other such clearly-wrong things. On the other hand, there seem to be reports that finger date parsing output funneling into date_msecFromArgs, so it does seem real at least somewhat.
|
|
Assignee | |
Comment 16•14 years ago
|
||
|
|
Assignee | |
Updated•14 years ago
|
Attachment #515556 -
Flags: review?(jwalden+bmo)
|
|
Assignee | |
Updated•14 years ago
|
Assignee: general → m_kato
|
|
||
Comment 17•14 years ago
|
||
Comment on attachment 515556 [details] [diff] [review]
fix for fmod workaround
This appears reasonable to me, but Windows, Windows 64-bit, and Windows 64-bit assembly are not quite my strong points, so probably I should foist it on someone else. :-)
Attachment #515556 -
Flags: review?(jwalden+bmo) → review?(sstangl)
|
||
Updated•14 years ago
|
|
||
Comment 18•14 years ago
|
||
It would be very nice if this could be reviewed and land because it's now crashing on Youtube for me with this signature.
|
|
||
Comment 19•14 years ago
|
||
If nobody can review the assembly patch, please reconsider my patch, it was just 5 lines of c++.
The 2 patches are pretty much orthogonal, one avoids using fmod, one rewrites fmod.
|
|
||
Comment 20•14 years ago
|
||
Comment on attachment 515556 [details] [diff] [review]
fix for fmod workaround
Whatever, then. It's short enough that I can probably review reasonably without too much worry about it being horribly wrong. If something goes wrong, we can back out or figure out what to do then.
Attachment #515556 -
Flags: review?(sstangl) → review+
|
|
Assignee | |
Comment 21•14 years ago
|
||
I should add _MSC_VER check.
Attachment #515556 -
Attachment is obsolete: true
Attachment #537979 -
Flags: review?(jwalden+bmo)
|
|
||
Updated•14 years ago
|
Attachment #537979 -
Flags: review?(jwalden+bmo) → review+
|
||
Updated•14 years ago
|
Crash Signature: [@ MakeDay]
|
||
Comment 22•14 years ago
|
||
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/c25968f1f4f0
http://hg.mozilla.org/mozilla-central/rev/763b64b88b59 (backout)
Note: not marking as fixed because last changeset is a backout.
|
|
Assignee | |
Comment 23•14 years ago
|
||
Whiteboard: [fixed-in-tracemonkey]
|
|
||
Comment 24•14 years ago
|
||
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/76279a998f64
|
|
||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
|
|
||
Comment 25•14 years ago
|
||
I just had another MakeDay crash with the 2011-07-07 build which should have the fix already afaik.
https://crash-stats.mozilla.com/report/index/968133df-2fa5-4b12-b64a-f216c2110708
|
||
Comment 26•14 years ago
|
||
This compiles fine with VC9 assembler, but VC8 assembler doesn't like it...
|
|
||
Comment 27•14 years ago
|
||
(In reply to comment #26)
> This compiles fine with VC9 assembler, but VC8 assembler doesn't like it...
Microsoft (R) Macro Assembler (AMD64) Version 8.00.40310.39
Copyright (C) Microsoft Corporation. All rights reserved.
MASM : warning A4018: invalid command-line option : -o
Assembling: jswin64.asm
jswin64.asm(45) : error A2222: x87 and MMX instructions disallowed; legacy FP state not saved in Win64
jswin64.asm(47) : warning A4026: .ENDPROLOG found before EH directives : js_myfmod
|
|
Assignee | |
Comment 28•14 years ago
|
||
I should turn off this on VC8. But VC8 has fmod bug, too...
(In reply to comment #27)
> (In reply to comment #26)
> > This compiles fine with VC9 assembler, but VC8 assembler doesn't like it...
> Microsoft (R) Macro Assembler (AMD64) Version 8.00.40310.39
> Copyright (C) Microsoft Corporation. All rights reserved.
>
> MASM : warning A4018: invalid command-line option : -o
> Assembling: jswin64.asm
> jswin64.asm(45) : error A2222: x87 and MMX instructions disallowed; legacy
> FP state not saved in Win64
> jswin64.asm(47) : warning A4026: .ENDPROLOG found before EH directives :
> js_myfmod
|
|
||
Comment 29•14 years ago
|
||
Hmm, after looking more carefully, it seems that this error code was removed in later versions of ml64.exe, so it's a bug in the assembler.
If VC8 has the fmod bug, then maybe I can work around it locally by using
byte 0dbh, 0e2h
|
|
||
Updated•13 years ago
|
Attachment #515074 -
Flags: review?
You need to log in
before you can comment on or make changes to this bug.
Description
•