Last Comment Bug 712171 - [Chunk Patch] Crash [@ js::mjit::Compiler::generateMethod]
: [Chunk Patch] Crash [@ js::mjit::Compiler::generateMethod]
Status: RESOLVED FIXED
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86 Linux
: -- critical (vote)
: ---
Assigned To: Brian Hackett (:bhackett)
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz 706914
  Show dependency treegraph
 
Reported: 2011-12-19 16:41 PST by Christian Holler (:decoder)
Modified: 2011-12-21 10:58 PST (History)
3 users (show)
ryanvm: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Test case for shell (see README file inside). (8.12 KB, application/x-compressed-tar)
2011-12-19 16:41 PST, Christian Holler (:decoder)
no flags Details

Description Christian Holler (:decoder) 2011-12-19 16:41:30 PST
Created attachment 583000 [details]
Test case for shell (see README file inside).

The attached test crashes on mozilla-central with chunk patch (bug 706914) (options -m -n -a).

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::mjit::Compiler::generateMethod (this=0xffff7bcc) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/Compiler.cpp:1870
1870            chunkBegin = desc.begin;
(gdb) bt
#0  js::mjit::Compiler::generateMethod (this=0xffff7bcc) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/Compiler.cpp:1870
#1  0x08247efe in js::mjit::Compiler::performCompilation (this=0xffff7bcc) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/Compiler.cpp:542
#2  0x08248229 in compile (cx=0x83a3348, script=0xf7706200, pc=0x83bb580 "AT", construct=true, request=js::mjit::CompileRequest_Interpreter)
    at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/Compiler.cpp:160
#3  js::mjit::CanMethodJIT (cx=0x83a3348, script=0xf7706200, pc=0x83bb580 "AT", construct=true, request=js::mjit::CompileRequest_Interpreter)
    at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/Compiler.cpp:973
#4  0x080e5e15 in js::Interpret (cx=0x83a3348, entryFrame=0xf79b80d0, interpMode=js::JSINTERP_NORMAL) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinterp.cpp:3542
#5  0x08219c81 in js::mjit::EnterMethodJIT (cx=0x83a3348, fp=0xf79b80d0, code=0x430cb8, stackLimit=0xf7d98000, partial=false)
    at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1093
#6  0x0821a8c8 in CheckStackAndEnterMethodJIT (cx=0x83a3348, partial=false) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1125
#7  js::mjit::JaegerShot (cx=0x83a3348, partial=false) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1137
#8  0x080ea11c in js::RunScript (cx=0x83a3348, script=0xf7713080, fp=0xf79b80d0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinterp.cpp:576
#9  0x080ead9c in ExecuteKernel (cx=0x83a3348, script=0xf7713080, scopeChainArg=..., rval=0x0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinterp.cpp:774
#10 js::Execute (cx=0x83a3348, script=0xf7713080, scopeChainArg=..., rval=0x0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinterp.cpp:815
#11 0x080679ee in JS_ExecuteScript (cx=0x83a3348, obj=0xf7703040, script=0xf7713080, rval=0x0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsapi.cpp:5059
#12 0x080512a8 in Load (cx=0x83a3348, argc=1, vp=0xf79b80a8) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/shell/js.cpp:783
#13 0x082a2d81 in CallCompiler::generateNativeStub() ()
#14 0x0829e83f in js::mjit::ic::NativeCall (f=<value optimized out>, ic=<value optimized out>)
    at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MonoIC.cpp:1055
#15 0x0821976a in throwpoline_exit ()
#16 0x08376524 in ?? ()
Comment 1 Brian Hackett (:bhackett) 2011-12-21 08:45:28 PST
A GC triggered during compilation will throw away the outer JITScript, which the compiler needs to watch for.  Fixed in the latest bug 706914 patch.

Note You need to log in before you can comment on or make changes to this bug.