Closed Bug 666094 Opened 13 years ago Closed 13 years ago

Crash [@ js::StackFrame::initJitFrameLatePrologue() ] / [@ js::mjit::stubs::CompileFunction(js::VMFrame&, unsigned int) ] (Aurora 6)


(Core :: JavaScript Engine, defect)

Windows Vista
Not set



Tracking Status
firefox6 + fixed


(Reporter: m_kato, Assigned: luke)




(Keywords: crash, regression, Whiteboard: fixed-in-tracemonkey)

Crash Data


(1 file)

m-c Nightly 2011-06-20 (Win32 and Win64)

1. Browse
2. click [generateTestResults]


0 	mozjs.dll 	js::StackFrame::initJitFrameLatePrologue 	js/src/vm/Stack-inl.h:179
1 	mozjs.dll 	js::mjit::stubs::CompileFunction 	js/src/methodjit/InvokeHelpers.cpp:286
2 	xul.dll 	nsXPConnect::WrapNativeToJSVal 	js/src/xpconnect/src/nsXPConnect.cpp:1344
3 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5098
4 		@0x136a1c7f 	

Not repro on Firefox 4 and 5.
Summary: Crash [@ js::StackFrame::initJitFrameLatePrologue() ] when running → Crash [@ js::StackFrame::initJitFrameLatePrologue() ]
Can you get us a regression range on this?
Repro ->

Not Repro ->
Push date [To Local]	Changeset	Patch author — Commit message
Tue Apr 26 19:47:42 2011 -0700	d433ee7d9f86	Jeff Walden — Bug 647385 - Implement a ToInteger helper that corresponds to the spec method (rather than inlining its contents everywhere it can be trivially used). Also fixes a couple bugs in one place that should have used ToInteger but didn't. r=cdleary
	f1751a93f665	Jeff Walden — Bug 512266 - JSON.stringify for various special characters should produce the corresponding one-character escapes. r=pbiggar
	a7b220e7425a	Jeff Walden — Bug 635389 - Check for overrecursion in functions that might need it. r=jorendorff
	8f7cf9d0b636	Jeff Walden — Bug 650574 - No recursion checks converting a cyclic object to source, if the object's toSource hooks are built-in functions. r=luke
Tue Apr 26 15:26:18 2011 -0700	17dffff00f56	Chris Leary — Passing bug 646184 crashtest assertion. (r=dbaron)
Tue Apr 26 14:33:57 2011 -0700	c08f97b3f842	Luke Wagner — Fix linker error. I fixed this in the patch I pushed to try but seem to have lost it in the meantime (r=burning-windows)
Tue Apr 26 13:39:40 2011 -0700	7faf405fa9f0	Luke Wagner — Fix --disable-methodjit bustage (r=red)
Tue Apr 26 13:27:51 2011 -0700	e9da34dfa8c5	Luke Wagner — Bug 644074 - Simplify and consolidate VM stack code into js/src/vm/Stack*
Tue Apr 26 10:43:47 2011 -0700	28bc239d3d9d	Chris Leary — Merge mozilla-central and tracemonkey.
← 489 hidden changesets [Expand]
Tue Apr 26 07:26:53 2011 -0700	3dc303216231	Tom Schuster — Fix style nit request in Bug 651973 r=jorendorff via irc
Tue Apr 26 01:31:30 2011 -0700	de7b0f3323c1	Jan de Mooij — Bug 646938 - Fix NaN-check in jsop_
Crash Signature: @ js::StackFrame::initJitFrameLatePrologue() → [@ js::StackFrame::initJitFrameLatePrologue() ]
This can reproduce on Aurora (bp-ed985971-90ca-4af2-9bfb-1d8252110621).  requesting blocking for version 6.
Crash Signature: [@ js::StackFrame::initJitFrameLatePrologue() ] → [@ js::StackFrame::initJitFrameLatePrologue() ][@ js::mjit::stubs::CompileFunction(js::VMFrame&, unsigned int) ]
Summary: Crash [@ js::StackFrame::initJitFrameLatePrologue() ] → Crash [@ js::StackFrame::initJitFrameLatePrologue() ] / [@ js::mjit::stubs::CompileFunction(js::VMFrame&, unsigned int) ] (Aurora 6)
In local build:
build from c08f97b3f842: crash
build from 28bc239d3d9d: not crash
Suspected bug: Bug 644074
Severity: normal → critical
Keywords: crash
Assignee: general → luke
It looks like this is a pre-existing bug hidden by the old STACK_QUOTA nonsense which bug 644074 removed.  The bug is that CompileFunction is not checking the stack limit before initializing locals.
Attached patch fix and testSplinter Review
Simple enough fix, mostly just copying the relevant bits of generatePrologue+HitStackQuota.
Attachment #541233 - Flags: review?(dvander)
not going to track but if you come back when it's been reviewed and you can give us a risk vs reward analysis, we'll evaluate then.
Comment on attachment 541233 [details] [diff] [review]
fix and test

Review of attachment 541233 [details] [diff] [review]:
Attachment #541233 - Flags: review?(dvander) → review+
This is currently on aurora (not beta) and I think this is a low risk fix to land.  IIUC, that means tracking-firefox7, not 6?
Whiteboard: fixed-in-tracemonkey
Oops, Aurora reports 6.0a2, so then I should request tracking-firefox6.
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 541233 [details] [diff] [review]
fix and test

Approved for releases/mozilla-aurora. Please land by 2011-07-05 @ 9:00 am PDT
Attachment #541233 - Flags: approval-mozilla-aurora+
Looks like this made the uplift to Beta. Do we still need to track this for 6?
I think we're good.
No crash on Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0 beta 5

Setting resolution to Verified Fixed.
You need to log in before you can comment on or make changes to this bug.