Closed Bug 728609 Opened 11 years ago Closed 11 years ago

[IncrementalGC] Crash [@ js::mjit::JITScript::chunkIndex]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla13
Tracking Flags:
Tracking Status
firefox13 --- verified

People

(Reporter: decoder, Assigned: billm)

References

Details

(Keywords: crash, testcase, Whiteboard: [qa!])

Crash Data

Attachments

(1 file)

patch
2.26 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
The following test crashes on larch branch (incremental GC) revision 1b4a30320120 (options -m -n -a):


var lfcode = new Array();
lfcode.push("\
test();\
function test() {\
  function removeAllProperties(o) {\
    bar() = thaw, patterns;\
  }\
  var o = {};\
  o.first = { toSource: function() { removeAllProperties(o); } };\
  return o.toSource();\
}\
");
lfcode.push("test();");
gczeal(4);
while (true) {
        var file = lfcode.shift(); if (file == undefined) { break; }
                loadFile(file);
}
function loadFile(lfVarx) {
        try {
                        evaluate(lfVarx);
        } catch (lfVare) {      }
}


Crash Trace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000046079a in js::mjit::JITScript::chunkIndex (this=0x0, pc=0xb7228f ":") at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MethodJIT.h:818
818             unsigned offset = pc - script->code;
(gdb) bt 8
#0  0x000000000046079a in js::mjit::JITScript::chunkIndex (this=0x0, pc=0xb7228f ":") at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MethodJIT.h:818
#1  0x000000000046087b in js::mjit::JITScript::chunk (this=0x0, pc=0xb7228f ":") at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MethodJIT.h:831
#2  0x0000000000734da8 in js::VMFrame::chunk (this=0x7fffffff93a0) at ../methodjit/MethodJIT.h:969
#3  0x00000000007364dc in CallCompiler::disable (this=0x7fffffff9360) at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MonoIC.cpp:584
#4  0x00000000007384c3 in CallCompiler::update (this=0x7fffffff9360) at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MonoIC.cpp:972
#5  0x00000000007334ba in js::mjit::ic::Call (f=..., ic=0xb78f98) at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MonoIC.cpp:1018
#6  0x000000000069a48e in JaegerTrampolineReturn () at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MethodJIT.cpp:160
#7  0x000000000069a79e in js::mjit::EnterMethodJIT (cx=0xb6cb30, fp=0x7ffff0beb270, code=0x7ffff7f48cd0, stackLimit=0x7ffff0fcb000, partial=false)
    at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MethodJIT.cpp:1053
#8  0x000000000069aa14 in CheckStackAndEnterMethodJIT (cx=0xb6cb30, fp=0x7ffff0beb270, code=0x7ffff7f48cd0, partial=false)
    at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MethodJIT.cpp:1112


Might be related to bug 728506.
Attached patch patchSplinter Review 
I was incrementing the gcNumber is StartVerifyBarriers, but not in EndVerifyBarriers, even though they both discard jit code.
Attachment #600120 - Flags: review?(bhackett1024)
Attachment #600120 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/51c51a451762
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: [qa+]
Ubuntu 11.10 64bit
Build: mozilla-beta-5f412ea09aba
I built Jaegermonkey and ran the test from comment #0: no crash/assertion/failure occured.

Marking verified for firefox 13.
Status: RESOLVED → VERIFIED
status-firefox13: fixedverified
Whiteboard: [qa+] → [qa!]
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug728609.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.