Last Comment Bug 690376 - Crash [@ JSObject::nonNativeSetProperty]
: Crash [@ JSObject::nonNativeSetProperty]
Status: VERIFIED FIXED
[sg:critical?][qa-] js-triage-needed
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
: -- critical (vote)
: mozilla10
Assigned To: Brian Hackett (:bhackett)
:
Mentors:
Depends on:
Blocks: jsfunfuzz
  Show dependency treegraph
 
Reported: 2011-09-29 08:47 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2015-10-07 18:43 PDT (History)
9 users (show)
choller: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
+
fixed
+
fixed
fixed
unaffected


Attachments
stack (4.19 KB, text/plain)
2011-09-29 08:47 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
patch (981 bytes, patch)
2011-10-05 16:37 PDT, Brian Hackett (:bhackett)
dvander: review+
curtisk: approval‑mozilla‑aurora+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2011-09-29 08:47:51 PDT
Created attachment 563425 [details]
stack

(function() {
    function b(c) {
        if (c) u = function() {};
        this.x = /x/;
        switch (c) {
        case 4:
        case 6:
        }
        this.r = {}
    }
    for each(let a in [
        new Boolean(true),
        0,
        new Boolean(true),
        function() {},
        new Boolean(true),
        new Boolean(true),
        function() {},
        function() {},
        function() {}
        ]) {
        try {
            new b(a)();
        } catch (e) {}
    }
})()

crashes js opt shell 64-bit on Mac 10.6 on JM changeset 44ef245b8706 with -m, -a and -j at JSObject::nonNativeSetProperty. Testcase should be passed in as a CLI argument to reproduce.

The $pc value seems to be accessing register r11 at a scary address 0xf1c6d7e000000001 so locking s-s till shown otherwise.
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2011-09-29 19:51:27 PDT
Crashes m-c changeset dbb129f069b1 64-bit js shell too, with possibly-related-but-not-really-identical stack.
Comment 2 Brian Hackett (:bhackett) 2011-10-05 16:37:09 PDT
Created attachment 565069 [details] [diff] [review]
patch

Codegen bug in JM+TM interaction, introduced in the TI merge I think.  JM+TM can enter jitcode at any opcode marked as a safe point, but JM did not guarantee this for safe points that are not the targets of a jump.
Comment 3 Brian Hackett (:bhackett) 2011-10-06 11:43:21 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/e456bef5839b
Comment 4 Daniel Veditz [:dveditz] 2011-10-06 13:11:40 PDT
Gary: does this crash affect Beta (Firefox 8)? Given the patch (if .. !typeInferenceEnabled()) maybe it does, then again this could have been completely different code prior to the TI landing.
Comment 5 Christian Holler (:decoder) 2011-10-07 05:40:20 PDT
https://hg.mozilla.org/mozilla-central/rev/e456bef5839b
Comment 6 Gary Kwong [:gkw] [:nth10sd] 2011-10-07 05:45:47 PDT
(In reply to Daniel Veditz from comment #4)
> Gary: does this crash affect Beta (Firefox 8)? Given the patch (if ..
> !typeInferenceEnabled()) maybe it does, then again this could have been
> completely different code prior to the TI landing.

I have to hold off testing on this, as the minis are in boxes and soon-to-be shipping..
Comment 7 Daniel Veditz [:dveditz] 2011-10-10 14:13:55 PDT
bhackett: do you know the answer to comment 4?
Comment 8 Brian Hackett (:bhackett) 2011-10-10 14:33:10 PDT
(In reply to Daniel Veditz from comment #7)
> bhackett: do you know the answer to comment 4?

This should not affect Firefox 8 or earlier.  The bug is caused by doing cross-branch register allocation when we shouldn't (when JM+TM is enabled), this kind of register allocation was introduced with the TI merge.
Comment 9 Brian Hackett (:bhackett) 2011-10-11 19:59:38 PDT
https://hg.mozilla.org/releases/mozilla-aurora/rev/c0c7322521b7
Comment 10 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-11-21 17:29:42 PST
Can someone who is already set up to reproduce this bug please verify the fix?
Comment 11 Gary Kwong [:gkw] [:nth10sd] 2011-11-28 17:07:45 PST
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #10)
> Can someone who is already set up to reproduce this bug please verify the
> fix?

Verified fixed on 64-bit debug and opt builds on Mac 10.6 on m-c changeset bc48009a6bbb.
Comment 12 Christian Holler (:decoder) 2013-03-11 08:53:08 PDT
Bug involving TM, but TM is already removed, in-testsuite-.

Note You need to log in before you can comment on or make changes to this bug.