Closed Bug 655504 Opened 13 years ago Closed 13 years ago

TI: Assertion failure: !inline_, at js/src/methodjit/InvokeHelpers.cpp:269

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

shell testcase, unpack, chdir and read README
10.36 KB, application/x-compressed-tar
Details 
The attached testcase asserts on TI revision e09e209d988e (see README for run instructions!), tested on 64 bit. The required time until assert ranges from 10 to 30 seconds. I was unable to detach this testcase from the LangFuzz driver, it seems highly fragile.

The test also shows a memory corruption in valgrind, it's unclear though if they are related or not according to bhackett:

    ==27034== Invalid read of size 1
    ==27034==    at 0x6A7BFF: js::mjit::Compiler::generateMethod() (Compiler.cpp:2276)
    ==27034==    by 0x69D40E: js::mjit::Compiler::performCompilation(js::mjit::JITScript**) (Compiler.cpp:331)
    ==27034==    by 0x69CAC5: js::mjit::Compiler::compile() (Compiler.cpp:166)
    ==27034==    by 0x69E20E: js::mjit::TryCompile(JSContext*, js::StackFrame*) (Compiler.cpp:487)
    ==27034==    by 0x7371FE: js::mjit::CanMethodJIT(JSContext*, JSScript*, js::StackFrame*, js::mjit::CompileRequest) (MethodJIT-inl.h:75)
    ==27034==    by 0x7380C0: UncachedInlineCall(js::VMFrame&, unsigned int, void**, bool*, unsigned int, js::types::ClonedTypeSet*) (InvokeHelpers.cpp:423)
    ==27034==    by 0x73858C: js::mjit::stubs::UncachedCallHelper(js::VMFrame&, unsigned int, js::types::ClonedTypeSet*, js::mjit::stubs::UncachedCallResult*) (InvokeHelpers.cpp:525)
    ==27034==    by 0x71D959: CallCompiler::update() (MonoIC.cpp:1006)
    ==27034==    by 0x7175CA: js::mjit::ic::Call(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1066)
    ==27034==    by 0x41EC99B: ???
    ==27034==    by 0x697C71: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, js::Value*) (MethodJIT.cpp:692)
    ==27034==    by 0x697DB6: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*) (MethodJIT.cpp:722)
    ==27034==  Address 0x7c6df80 is 0 bytes after a block of size 32 alloc'd
    ==27034==    at 0x4C267CC: calloc (vg_replace_malloc.c:467)
    ==27034==    by 0x41A4FE: js_calloc (jsutil.h:244)
    ==27034==    by 0x43A21A: JSRuntime::calloc_(unsigned long, JSContext*) (jscntxt.h:734)
    ==27034==    by 0x43A6C5: JSContext::calloc_(unsigned long) (jscntxt.h:1297)
    ==27034==    by 0x69DFE8: js::mjit::Compiler::prepareInferenceTypes(JSScript*, js::mjit::Compiler::ActiveFrame*) (Compiler.cpp:448)
    ==27034==    by 0x69D049: js::mjit::Compiler::pushActiveFrame(JSScript*, unsigned int) (Compiler.cpp:267)
    ==27034==    by 0x69D2E8: js::mjit::Compiler::performCompilation(js::mjit::JITScript**) (Compiler.cpp:329)
    ==27034==    by 0x69CAC5: js::mjit::Compiler::compile() (Compiler.cpp:166)
    ==27034==    by 0x69E20E: js::mjit::TryCompile(JSContext*, js::StackFrame*) (Compiler.cpp:487)
    ==27034==    by 0x7371FE: js::mjit::CanMethodJIT(JSContext*, JSScript*, js::StackFrame*, js::mjit::CompileRequest) (MethodJIT-inl.h:75)
    ==27034==    by 0x7380C0: UncachedInlineCall(js::VMFrame&, unsigned int, void**, bool*, unsigned int, js::types::ClonedTypeSet*) (InvokeHelpers.cpp:423)
    ==27034==    by 0x73858C: js::mjit::stubs::UncachedCallHelper(js::VMFrame&, unsigned int, js::types::ClonedTypeSet*, js::mjit::stubs::UncachedCallResult*) (InvokeHelpers.cpp:525)
    ==27034==
    ==27034== Invalid read of size 1
    ==27034==    at 0x6A7BFF: js::mjit::Compiler::generateMethod() (Compiler.cpp:2276)
    ==27034==    by 0x69D40E: js::mjit::Compiler::performCompilation(js::mjit::JITScript**) (Compiler.cpp:331)
    ==27034==    by 0x69CAC5: js::mjit::Compiler::compile() (Compiler.cpp:166)
    ==27034==    by 0x73D610: js::mjit::Recompiler::recompile(JSScript*, bool, js::Vector<js::mjit::PatchableFrame, 0ul, js::ContextAllocPolicy>&, js::Vector<js::mjit::Recompiler::PatchableAddress, 0ul, js::ContextAllocPolicy>&, js::Vector<js::mjit::CallSite, 0ul, js::ContextAllocPolicy>&, js::Vector<js::mjit::Recompiler::PatchableNative, 0ul, js::ContextAllocPolicy>&) (Retcon.cpp:619)
    ==27034==    by 0x73D1B2: js::mjit::Recompiler::recompile() (Retcon.cpp:562)
    ==27034==    by 0x4E3327: js::types::TypeCompartment::processPendingRecompiles(JSContext*) (jsinfer.cpp:2017)
    ==27034==    by 0x415080: js::types::AutoEnterTypeInference::~AutoEnterTypeInference() (jsinferinlines.h:174)
    ==27034==    by 0x4E325B: js::types::TypeCompartment::dynamicPush(JSContext*, JSScript*, unsigned int, unsigned long) (jsinfer.cpp:1998)
    ==27034==    by 0x456119: JSScript::typeMonitorResult(JSContext*, unsigned char const*, unsigned long) (jsinferinlines.h:633)
    ==27034==    by 0x795F7E: JSScript::typeMonitorString(JSContext*, unsigned char const*) (jsinferinlines.h:660)
    ==27034==    by 0x79B259: js::mjit::stubs::Add(js::VMFrame&) (StubCalls.cpp:1162)
    ==27034==    by 0x65CF9F9: ???
    ==27034==  Address 0x83a8fc0 is 0 bytes after a block of size 32 alloc'd
    ==27034==    at 0x4C267CC: calloc (vg_replace_malloc.c:467)
    ==27034==    by 0x41A4FE: js_calloc (jsutil.h:244)
    ==27034==    by 0x43A21A: JSRuntime::calloc_(unsigned long, JSContext*) (jscntxt.h:734)
    ==27034==    by 0x43A6C5: JSContext::calloc_(unsigned long) (jscntxt.h:1297)
    ==27034==    by 0x69DFE8: js::mjit::Compiler::prepareInferenceTypes(JSScript*, js::mjit::Compiler::ActiveFrame*) (Compiler.cpp:448)
    ==27034==    by 0x69D049: js::mjit::Compiler::pushActiveFrame(JSScript*, unsigned int) (Compiler.cpp:267)
    ==27034==    by 0x69D2E8: js::mjit::Compiler::performCompilation(js::mjit::JITScript**) (Compiler.cpp:329)
    ==27034==    by 0x69CAC5: js::mjit::Compiler::compile() (Compiler.cpp:166)
    ==27034==    by 0x73D610: js::mjit::Recompiler::recompile(JSScript*, bool, js::Vector<js::mjit::PatchableFrame, 0ul, js::ContextAllocPolicy>&, js::Vector<js::mjit::Recompiler::PatchableAddress, 0ul, js::ContextAllocPolicy>&, js::Vector<js::mjit::CallSite, 0ul, js::ContextAllocPolicy>&, js::Vector<js::mjit::Recompiler::PatchableNative, 0ul, js::ContextAllocPolicy>&) (Retcon.cpp:619)
    ==27034==    by 0x73D1B2: js::mjit::Recompiler::recompile() (Retcon.cpp:562)
    ==27034==    by 0x4E3327: js::types::TypeCompartment::processPendingRecompiles(JSContext*) (jsinfer.cpp:2017)
    ==27034==    by 0x415080: js::types::AutoEnterTypeInference::~AutoEnterTypeInference() (jsinferinlines.h:174)
    ==27034==
I can repro this now with an x64 Linux VM.  This should have been fixed by bug 650163.  The problem is we triggered a recompilation inside a stack overflow triggered by FixupArity trying to move a new stack frame, and then used a stale ncode value to recover the PC afterwards for throwing an exception.  Bug 650163 fixed this to recover the PC before recompilation can be triggered (another bug ran into this, but I can't find it ATM).
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: