Closed Bug 646587 Opened 14 years ago Closed 14 years ago

TI: GC related Crash [@ js::Invoke]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

The attached testcase (unpack, chdir and run main.js with -m -n -a) will crash on TI tip, tested on 64 bit. This looks like a GC related crash:

==1757== Invalid read of size 8
==1757==    at 0x4F4FE0: js::Invoke(JSContext*, js::CallArgs const&, unsigned int) (jsinterp.cpp:728)
==1757==    by 0x71D88A: js::mjit::stubs::SlowCall(js::VMFrame&, unsigned int) (InvokeHelpers.cpp:196)
==1757==    by 0x6FC463: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1069)
==1757==    by 0x41B3B50: ???
==1757==    by 0x68C53D: js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) (MethodJIT.cpp:742)
==1757==    by 0x68C666: CheckStackAndEnterMethodJIT(JSContext*, JSStackFrame*, void*) (MethodJIT.cpp:771)
==1757==    by 0x68C7DD: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:795)
==1757==    by 0x4F4D06: js::RunScript(JSContext*, JSScript*, JSStackFrame*) (jsinterp.cpp:682)
==1757==    by 0x4F64A5: js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, unsigned int, js::Value*) (jsinterp.cpp:1094)
==1757==    by 0x43417D: JS_ExecuteScript (jsapi.cpp:5183)
==1757==    by 0x406EC7: Load(JSContext*, unsigned int, jsval_layout*) (js.cpp:1069)
==1757==    by 0x4F99BF: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, js::Value*), unsigned int, js::Value*) (jscntxtinlines.h:688)
==1757==  Address 0xdadadadadadadb3a is not stack'd, malloc'd or (recently) free'd
==1757== 
==1757== 
==1757== Process terminating with default action of signal 11 (SIGSEGV)
Previously we recorded dependencies which JIT code has on type information with calls like 'types->getKnownTypeTag(cx, script)' where script is the one currently being compiled.  This is a crap design when we are inlining frames, as it's super easy to incorrectly pass the inner script rather than the outermost one, record the dependencies wrong and get behavior like this (an inlined call thinks a GNAME is definitely a function which has already been collected).

This fixes things by removing the script argument from the calls which record dependencies, and using an AutoEnterCompilation which wraps all such calls and records all dependencies on the outermost script.

http://hg.mozilla.org/projects/jaegermonkey/rev/cc8882cb4cd4
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::Invoke]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: