Last Comment Bug 688090 - crashes with stacks in js engine
: crashes with stacks in js engine
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- normal (vote)
: ---
Assigned To: general
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-09-20 21:01 PDT by Timothy Nikkel (:tnikkel)
Modified: 2011-09-20 21:54 PDT (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Attachments
patch (836 bytes, patch)
2011-09-20 21:26 PDT, Brian Hackett (:bhackett) 		dvander: review+
Details | Diff | Splinter Review
View All Add an attachment (proposed patch, testcase, etc.)

Description Timothy Nikkel (:tnikkel) 2011-09-20 21:01:40 PDT 
I've crashed several times today in my normal profile, normally I almost never crash. I didn't have a problem with the 2011-09-18 nightly. The 2011-09-20 has the crashes (I'm unsure about 2011-09-19, I may have skipped it, I don't remember).

I seem to be able to reproduce eventually by going to http://www.flickr.com/photos/lucasrocha/sets/72157627529094579/ and then ctrl-clicking on each image to open in a new tab.

I reproduced in a opt build with debug enabled (rev b15856d4b114) and got this stack:
#0  0x00007ffff463ec0a in setRel32 (jump=..., 
    destination=<value optimized out>)
    at ../../../js/src/assembler/assembler/X86Assembler.h:2523
#1  relinkJump (jump=..., destination=<value optimized out>)
    at ../../../js/src/assembler/assembler/X86Assembler.h:2401
#2  JSC::AbstractMacroAssembler<JSC::X86Assembler>::repatchJump (jump=..., 
    destination=<value optimized out>)
    at ../../../js/src/assembler/assembler/AbstractMacroAssembler.h:615
#3  0x00007ffff4652475 in relink (this=<value optimized out>, cs=...)
    at ../../../js/src/assembler/assembler/RepatchBuffer.h:80
#4  GetPropCompiler::patchPreviousToHere (this=<value optimized out>, cs=...)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1372
#5  0x00007ffff4653819 in GetPropCompiler::linkerEpilogue (
    this=0x7fffffff4c20, buffer=..., start=<value optimized out>, 
    shapeMismatches=...)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1342
#6  0x00007ffff4655faf in GetPropCompiler::generateGetterStub (
    this=0x7fffffff4c20, masm=<value optimized out>, shape=0x7fffd8ef2fc0, 
    start=..., shapeMismatches=...)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1244
#7  0x00007ffff4659236 in GetPropCompiler::generateStub (this=0x7fffffff4c20, 
    holder=0x7fffd8eeb558, shape=0x7fffd8ef2fc0)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1302
#8  0x00007ffff4659723 in GetPropCompiler::update (this=0x7fffffff4c20)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1394
#9  0x00007ffff464f410 in js::mjit::ic::GetProp (f=..., pic=0x7fff828e82c8)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1992
#10 0x00007fff55a2efd0 in ?? ()
#11 0x00007fff55a2ebc0 in ?? ()
#12 0x000000004e795ef6 in ?? ()
#13 0x00007fffffff5290 in ?? ()
#14 0x0000000000000000 in ?? ()

I've also crashed without loading a bazillion tabs with images. (I'm 64bit, so I don't think I'm hitting OOM.)
Comment 1 David Anderson [:dvander] 2011-09-20 21:02:57 PDT 
Brian, if I had a guess, the new getter IC is missing a verifyRange change in the linker.
Comment 2 Brian Hackett (:bhackett) 2011-09-20 21:26:45 PDT 
Created attachment 561381 [details] [diff] [review]
patch

Yes, this is the problem.  The getter IC only verified range against the JITScript's code, and not the previous PIC stub.
Comment 3 Brian Hackett (:bhackett) 2011-09-20 21:35:11 PDT 
https://hg.mozilla.org/mozilla-central/rev/e8bd19f6abbb
Comment 4 Timothy Nikkel (:tnikkel) 2011-09-20 21:54:15 PDT 
Awesome!
Note You need to log in before you can comment on or make changes to this bug.