[Chunk Patch] Crash [@ js::mjit::Compiler::generateMethod]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {crash, testcase})

Other Branch
x86
Linux
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 583000 [details]
Test case for shell (see README file inside).

The attached test crashes on mozilla-central with chunk patch (bug 706914) (options -m -n -a).

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::mjit::Compiler::generateMethod (this=0xffff7bcc) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/Compiler.cpp:1870
1870            chunkBegin = desc.begin;
(gdb) bt
#0  js::mjit::Compiler::generateMethod (this=0xffff7bcc) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/Compiler.cpp:1870
#1  0x08247efe in js::mjit::Compiler::performCompilation (this=0xffff7bcc) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/Compiler.cpp:542
#2  0x08248229 in compile (cx=0x83a3348, script=0xf7706200, pc=0x83bb580 "AT", construct=true, request=js::mjit::CompileRequest_Interpreter)
    at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/Compiler.cpp:160
#3  js::mjit::CanMethodJIT (cx=0x83a3348, script=0xf7706200, pc=0x83bb580 "AT", construct=true, request=js::mjit::CompileRequest_Interpreter)
    at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/Compiler.cpp:973
#4  0x080e5e15 in js::Interpret (cx=0x83a3348, entryFrame=0xf79b80d0, interpMode=js::JSINTERP_NORMAL) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinterp.cpp:3542
#5  0x08219c81 in js::mjit::EnterMethodJIT (cx=0x83a3348, fp=0xf79b80d0, code=0x430cb8, stackLimit=0xf7d98000, partial=false)
    at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1093
#6  0x0821a8c8 in CheckStackAndEnterMethodJIT (cx=0x83a3348, partial=false) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1125
#7  js::mjit::JaegerShot (cx=0x83a3348, partial=false) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1137
#8  0x080ea11c in js::RunScript (cx=0x83a3348, script=0xf7713080, fp=0xf79b80d0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinterp.cpp:576
#9  0x080ead9c in ExecuteKernel (cx=0x83a3348, script=0xf7713080, scopeChainArg=..., rval=0x0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinterp.cpp:774
#10 js::Execute (cx=0x83a3348, script=0xf7713080, scopeChainArg=..., rval=0x0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinterp.cpp:815
#11 0x080679ee in JS_ExecuteScript (cx=0x83a3348, obj=0xf7703040, script=0xf7713080, rval=0x0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsapi.cpp:5059
#12 0x080512a8 in Load (cx=0x83a3348, argc=1, vp=0xf79b80a8) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/shell/js.cpp:783
#13 0x082a2d81 in CallCompiler::generateNativeStub() ()
#14 0x0829e83f in js::mjit::ic::NativeCall (f=<value optimized out>, ic=<value optimized out>)
    at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MonoIC.cpp:1055
#15 0x0821976a in throwpoline_exit ()
#16 0x08376524 in ?? ()
(Assignee)

Comment 1

6 years ago
A GC triggered during compilation will throw away the outer JITScript, which the compiler needs to watch for.  Fixed in the latest bug 706914 patch.
(Assignee)

Updated

6 years ago
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.