TI: GC related Crash [@ js::Invoke]

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
8 years ago
7 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
x86_64
Linux
crash, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
Created attachment 523081 [details]
shell testcase, unpack, chdir and run main.js with options "-n -m -a"

The attached testcase (unpack, chdir and run main.js with -m -n -a) will crash on TI tip, tested on 64 bit. This looks like a GC related crash:

==1757== Invalid read of size 8
==1757==    at 0x4F4FE0: js::Invoke(JSContext*, js::CallArgs const&, unsigned int) (jsinterp.cpp:728)
==1757==    by 0x71D88A: js::mjit::stubs::SlowCall(js::VMFrame&, unsigned int) (InvokeHelpers.cpp:196)
==1757==    by 0x6FC463: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1069)
==1757==    by 0x41B3B50: ???
==1757==    by 0x68C53D: js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) (MethodJIT.cpp:742)
==1757==    by 0x68C666: CheckStackAndEnterMethodJIT(JSContext*, JSStackFrame*, void*) (MethodJIT.cpp:771)
==1757==    by 0x68C7DD: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:795)
==1757==    by 0x4F4D06: js::RunScript(JSContext*, JSScript*, JSStackFrame*) (jsinterp.cpp:682)
==1757==    by 0x4F64A5: js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, unsigned int, js::Value*) (jsinterp.cpp:1094)
==1757==    by 0x43417D: JS_ExecuteScript (jsapi.cpp:5183)
==1757==    by 0x406EC7: Load(JSContext*, unsigned int, jsval_layout*) (js.cpp:1069)
==1757==    by 0x4F99BF: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, js::Value*), unsigned int, js::Value*) (jscntxtinlines.h:688)
==1757==  Address 0xdadadadadadadb3a is not stack'd, malloc'd or (recently) free'd
==1757== 
==1757== 
==1757== Process terminating with default action of signal 11 (SIGSEGV)
Previously we recorded dependencies which JIT code has on type information with calls like 'types->getKnownTypeTag(cx, script)' where script is the one currently being compiled.  This is a crap design when we are inlining frames, as it's super easy to incorrectly pass the inner script rather than the outermost one, record the dependencies wrong and get behavior like this (an inlined call thinks a GNAME is definitely a function which has already been collected).

This fixes things by removing the script argument from the calls which record dependencies, and using an AutoEnterCompilation which wraps all such calls and records all dependencies on the outermost script.

http://hg.mozilla.org/projects/jaegermonkey/rev/cc8882cb4cd4
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::Invoke]
(Reporter)

Updated

7 years ago
Blocks: 676763
You need to log in before you can comment on or make changes to this bug.