Closed Bug 688090 Opened 8 years ago Closed 8 years ago

crashes with stacks in js engine

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tnikkel, Unassigned)

Details

Attachments

(1 file)

patch
836 bytes, patch
dvander
: review+
Details | Diff | Splinter Review 
I've crashed several times today in my normal profile, normally I almost never crash. I didn't have a problem with the 2011-09-18 nightly. The 2011-09-20 has the crashes (I'm unsure about 2011-09-19, I may have skipped it, I don't remember).

I seem to be able to reproduce eventually by going to http://www.flickr.com/photos/lucasrocha/sets/72157627529094579/ and then ctrl-clicking on each image to open in a new tab.

I reproduced in a opt build with debug enabled (rev b15856d4b114) and got this stack:
#0  0x00007ffff463ec0a in setRel32 (jump=..., 
    destination=<value optimized out>)
    at ../../../js/src/assembler/assembler/X86Assembler.h:2523
#1  relinkJump (jump=..., destination=<value optimized out>)
    at ../../../js/src/assembler/assembler/X86Assembler.h:2401
#2  JSC::AbstractMacroAssembler<JSC::X86Assembler>::repatchJump (jump=..., 
    destination=<value optimized out>)
    at ../../../js/src/assembler/assembler/AbstractMacroAssembler.h:615
#3  0x00007ffff4652475 in relink (this=<value optimized out>, cs=...)
    at ../../../js/src/assembler/assembler/RepatchBuffer.h:80
#4  GetPropCompiler::patchPreviousToHere (this=<value optimized out>, cs=...)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1372
#5  0x00007ffff4653819 in GetPropCompiler::linkerEpilogue (
    this=0x7fffffff4c20, buffer=..., start=<value optimized out>, 
    shapeMismatches=...)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1342
#6  0x00007ffff4655faf in GetPropCompiler::generateGetterStub (
    this=0x7fffffff4c20, masm=<value optimized out>, shape=0x7fffd8ef2fc0, 
    start=..., shapeMismatches=...)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1244
#7  0x00007ffff4659236 in GetPropCompiler::generateStub (this=0x7fffffff4c20, 
    holder=0x7fffd8eeb558, shape=0x7fffd8ef2fc0)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1302
#8  0x00007ffff4659723 in GetPropCompiler::update (this=0x7fffffff4c20)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1394
#9  0x00007ffff464f410 in js::mjit::ic::GetProp (f=..., pic=0x7fff828e82c8)
    at /home/tim/ffopen/src/js/src/methodjit/PolyIC.cpp:1992
#10 0x00007fff55a2efd0 in ?? ()
#11 0x00007fff55a2ebc0 in ?? ()
#12 0x000000004e795ef6 in ?? ()
#13 0x00007fffffff5290 in ?? ()
#14 0x0000000000000000 in ?? ()

I've also crashed without loading a bazillion tabs with images. (I'm 64bit, so I don't think I'm hitting OOM.)
Brian, if I had a guess, the new getter IC is missing a verifyRange change in the linker.
Attached patch patchSplinter Review 
Yes, this is the problem.  The getter IC only verified range against the JITScript's code, and not the previous PIC stub.
Attachment #561381 - Flags: review?(dvander)
Attachment #561381 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/e8bd19f6abbb
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Awesome!
You need to log in before you can comment on or make changes to this bug.