Closed Bug 655810 Opened 13 years ago Closed 13 years ago

TI: Infinite loop and memory explosion with array2 test

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: azakai, Assigned: jandem)

References

Details

Attachments

(2 files, 1 obsolete file)

array2 test
22.76 KB, text/plain
Details
Patch
1.21 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
Attached file array2 test 
The attached script is array2 from emscripten's test suite. With |-m -n| on JM, it enters an apparently infinite loop, and memory usage explodes out of control (be careful when running the script). Works ok with just -m.
Can you still reproduce this? Works for me with 32-bit and 64-bit OS X shell, both |-m -n| and |-m -a -n|.
I still see this on Linux 32. Might be a platform specific thing then.

I get the same on most other emscripten tests as well (this is among the first in the list, so I saw it first).
OS: All → Linux
Hardware: All → x86
Ah this is interesting, debug build works on Linux 32-bit, but I can reproduce with a release build. Linux 32-bit tinderbox has the same problem, orange caused by time-outs. I'll reduce this now.
Attached patch Patch (obsolete) — Splinter Review 
There are different versions of JS_FLOOR_LOG2 macro, apparently the optimized version returned an invalid value if the result is signed. The register was not in freeMask, causing an infinite loop in FrameState::merge (it was busy generating code, causing the memory explosion).
Assignee: general → jandemooij
Status: NEW → ASSIGNED
Attachment #531766 - Flags: review?(bhackett1024)
Comment on attachment 531766 [details] [diff] [review]
Patch

Weird, any other hits on this?  possible to put a comment on the macro?
Attachment #531766 - Flags: review?(bhackett1024) → review+
I think the fix is correct, but it looks like JS_FLOOR_LOG2 is a red herring. The problem seems to be somewhere outside peekReg. Probably a bug in GCC 4.5 with -O3, I'll look closer tomorrow.
Attached patch PatchSplinter Review 
The (RegisterID)ireg cast was confusing GCC when ireg is a FP register. So maybe it's not a GCC bug but undefined behavior. We don't even need the int -> unsigned change but I left it in, it seems to be the right type.

There's another (RegisterID) cast in FrameState.cpp, but it's valid because RegisterID ranges from 0 to TotalRegisters.
Attachment #531766 - Attachment is obsolete: true
Attachment #531880 - Flags: review?(bhackett1024)
Attachment #531880 - Flags: review?(bhackett1024) → review+
http://hg.mozilla.org/projects/jaegermonkey/rev/3f089c0d63f8
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: