IonMonkey: Crash on Heap near [@ js::ion::MBasicBlock::numEntrySlots]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
major
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: decoder, Assigned: dvander)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Other Branch
x86_64
Linux
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following testcase crashes on ionmonkey revision 5a04fd69aa09 (run with --ion -n -m --ion-eager), tested on 64 bit:


function q2(n) {
  var c = [];
  var e = /foo$/.test(c) && c.match(/(.*)foo$/);
}
for (var x = 500; x < 5000; x += 500)
var y2 = q2(x);
(Reporter)

Comment 1

6 years ago
Stack:

#0  0x0000000000cd5fd0 in ?? ()
#1  0x0000000000787891 in js::ion::MBasicBlock::numEntrySlots (this=0xccf390) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/MIRGraph.h:376
#2  0x000000000083f76d in js::ion::C1Spewer::spewPass (this=0xc97d50, fp=0xccca80, block=0xccf390) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/C1Spewer.cpp:213
#3  0x000000000083ecf5 in js::ion::C1Spewer::spewPass (this=0xc97d50, pass=0x8e817b "Split Critical Edges")
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/C1Spewer.cpp:89
#4  0x0000000000794408 in js::ion::IonSpewer::spewPass (this=0xc97d40, pass=0x8e817b "Split Critical Edges")
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonSpewer.cpp:141
#5  0x000000000079422f in js::ion::IonSpewPass (pass=0x8e817b "Split Critical Edges") at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonSpewer.cpp:82
#6  0x000000000075f0cf in TestCompiler (builder=..., graph=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:650
#7  0x000000000075f7a0 in IonCompile (cx=0xcc6db0, script=0x7ffff09072e0, fp=0x7ffff0beb0b0, osrPc=0xcccf12  <incomplete sequence \344\232>)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:759
#8  0x000000000075fe9f in js::ion::Compile (cx=0xcc6db0, script=0x7ffff09072e0, fp=0x7ffff0beb0b0, osrPc=0xcccf12  <incomplete sequence \344\232>)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:894
#9  0x000000000075fcd7 in js::ion::CanEnterAtBranch (cx=0xcc6db0, script=0x7ffff09072e0, fp=0x7ffff0beb0b0, pc=0xcccf12  <incomplete sequence \344\232>)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:855
#10 0x0000000000505069 in js::Interpret (cx=0xcc6db0, entryFrame=0x7ffff0beb0b0, interpMode=js::JSINTERP_BAILOUT)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:1767
#11 0x000000000083cb9a in js::ion::ThunkToInterpreter (vp=0x7fffffffd2e8) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Bailouts.cpp:514
(Assignee)

Comment 2

6 years ago
Created attachment 600601 [details] [diff] [review]
fix

Subtle, SplitCriticalEdges was using the wrong CompileInfo so basic blocks could start off with too few slots in its vector, which would then get overrun. Using FixedList<> would have caught this but I think FixedList was introduced later.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #600601 - Flags: review?(jdemooij)
(Assignee)

Comment 3

6 years ago
Also in that patch, I reverted a broken change from bug 728188 - GetPropertyCache has to know its inlined script, not the script where you find script->ion. Once we improve the performance of GetPcScript() then we can remove this again.
Comment on attachment 600601 [details] [diff] [review]
fix

Review of attachment 600601 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/FixedArityList.h
@@ +98,5 @@
>          length_ = length;
>          if (length == 0)
>              return true;
>  
> +        list_ = (T *)GetIonContext()->temp->allocate(length * sizeof(T));

Good catch.
Attachment #600601 - Flags: review?(jdemooij) → review+
(Assignee)

Comment 5

6 years ago
http://hg.mozilla.org/projects/ionmonkey/rev/fc930c2090bd
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Comment 6

5 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug729798.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.