crashes with stacks in js engine

RESOLVED FIXED

Status

()

Product:
Core
Component:
JavaScript Engine
RESOLVED FIXED
Reported:
6 years ago
Modified:
6 years ago

People

(Reporter: tnikkel, Unassigned)

Tracking

Version:
Trunk
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

patch
836 bytes, patch
dvander
: review+
Details | Diff | Splinter Review
(Reporter)

Description

6 years ago 
I've crashed several times today in my normal profile, normally I almost never crash. I didn't have a problem with the 2011-09-18 nightly. The 2011-09-20 has the crashes (I'm unsure about 2011-09-19, I may have skipped it, I don't remember).

I seem to be able to reproduce eventually by going to http://www.flickr.com/photos/lucasrocha/sets/72157627529094579/ and then ctrl-clicking on each image to open in a new tab.

I reproduced in a opt build with debug enabled (rev b15856d4b114) and got this stack:
#0  0x00007ffff463ec0a in setRel32 (jump=..., 
    destination=<value optimized out>)
    at ../../../js/src/assembler/assembler/X86Assembler.h:2523
#1  relinkJump (jump=..., destination=<value optimized out>)
    at ../../../js/src/assembler/assembler/X86Assembler.h:2401
#2  JSC::AbstractMacroAssembler<JSC::X86Assembler>::repatchJump (jump=..., 
    destination=<value optimized out>)
    at ../../../js/src/assembler/assembler/AbstractMacroAssembler.h:615
#3  0x00007ffff4652475 in relink (this=<value optimized out>, cs=...)
    at ../../../js/src/assembler/assembler/RepatchBuffer.h:80
#4  GetPropCompiler::patchPreviousToHere (this=<value optimized out>, cs=...)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1372
#5  0x00007ffff4653819 in GetPropCompiler::linkerEpilogue (
    this=0x7fffffff4c20, buffer=..., start=<value optimized out>, 
    shapeMismatches=...)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1342
#6  0x00007ffff4655faf in GetPropCompiler::generateGetterStub (
    this=0x7fffffff4c20, masm=<value optimized out>, shape=0x7fffd8ef2fc0, 
    start=..., shapeMismatches=...)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1244
#7  0x00007ffff4659236 in GetPropCompiler::generateStub (this=0x7fffffff4c20, 
    holder=0x7fffd8eeb558, shape=0x7fffd8ef2fc0)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1302
#8  0x00007ffff4659723 in GetPropCompiler::update (this=0x7fffffff4c20)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1394
#9  0x00007ffff464f410 in js::mjit::ic::GetProp (f=..., pic=0x7fff828e82c8)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1992
#10 0x00007fff55a2efd0 in ?? ()
#11 0x00007fff55a2ebc0 in ?? ()
#12 0x000000004e795ef6 in ?? ()
#13 0x00007fffffff5290 in ?? ()
#14 0x0000000000000000 in ?? ()

I've also crashed without loading a bazillion tabs with images. (I'm 64bit, so I don't think I'm hitting OOM.)

Comment 1

6 years ago 
Brian, if I had a guess, the new getter IC is missing a verifyRange change in the linker.

Comment 2

6 years ago 
Created attachment 561381 [details] [diff] [review]
patch

Yes, this is the problem.  The getter IC only verified range against the JITScript's code, and not the previous PIC stub.
Attachment #561381 - Flags: review?(dvander)
Attachment #561381 - Flags: review?(dvander) → review+

Comment 3

6 years ago 
https://hg.mozilla.org/mozilla-central/rev/e8bd19f6abbb
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
 (Reporter)

Comment 4

6 years ago 
Awesome!
You need to log in before you can comment on or make changes to this bug.