Closed Bug 732848 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ js::HeapPtr<js::ion::IonCode, unsigned int>::operator js::ion::IonCode*]

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

The following testcase crashes on ionmonkey revision 1fd6c40d3852 (run with --ion -n), tested on 64 bit:


gczeal(2,1);
for( var time = 0, year = 1969; year >= 0; year-- ) {}
Comment 0 is wrong about arch, this is 32 bit.

Crash trace:

Program received signal SIGSEGV, Segmentation fault.
0x08114d32 in js::HeapPtr<js::ion::IonCode, unsigned int>::operator js::ion::IonCode* (this=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/gc/Barrier.h:233
233         operator T*() const { return value; }
Missing separate debuginfos, use: debuginfo-install libgcc-4.4.6-3.el6.i686 libstdc++-4.4.6-3.el6.i686
(gdb) bt
#0  0x08114d32 in js::HeapPtr<js::ion::IonCode, unsigned int>::operator js::ion::IonCode* (this=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/gc/Barrier.h:233
#1  0x08384e4b in js::ion::IonScript::method (this=0x0) at ../ion/IonCode.h:266
#2  0x08383da7 in js::ion::SideCannon (cx=0x86e0d98, fp=0xf79cf020, pc=0x86e8eca  <incomplete sequence \344\232>)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:983
#3  0x0813fdbf in js::Interpret (cx=0x86e0d98, entryFrame=0xf79cf020, interpMode=js::JSINTERP_NORMAL) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:1773
#4  0x0813b630 in js::RunScript (cx=0x86e0d98, script=0xf7706128, fp=0xf79cf020) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:463
#5  0x0813c135 in js::ExecuteKernel (cx=0x86e0d98, script=0xf7706128, scopeChain=..., thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=0x0, result=0x0)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:666
#6  0x0813c35e in js::Execute (cx=0x86e0d98, script=0xf7706128, scopeChainArg=..., rval=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:707
#7  0x08085024 in JS_ExecuteScript (cx=0x86e0d98, obj=0xf7703040, script=0xf7706128, rval=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsapi.cpp:5302
#8  0x0804c379 in Process (cx=0x86e0d98, obj=0xf7703040, filename=0xffffcfad "min.js", forceTTY=false) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/shell/js.cpp:478
#9  0x08058015 in ProcessArgs (cx=0x86e0d98, obj=0xf7703040, op=0xffffcc84) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/shell/js.cpp:5273
#10 0x08058262 in Shell (cx=0x86e0d98, op=0xffffcc84, envp=0xffffcdd8) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/shell/js.cpp:5356
#11 0x08058bda in main (argc=4, argv=0xffffcdc4, envp=0xffffcdd8) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/shell/js.cpp:5596
Hardware: x86_64 → x86
Attached patch fixSplinter Review
The bug is that getting enterJIT/osrPrologue could GC, setting script->ion to NULL at a point where we *have* to execute ion code.

This patch refactors things to be more like CheckEnterAtBranch, so we compile & ensure the entry point in one step.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #605253 - Flags: review?(sstangl)
Comment on attachment 605253 [details] [diff] [review]
fix

Review of attachment 605253 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsinterp.cpp
@@ +1843,5 @@
>      if (ion::IsEnabled()) {
>          ion::MethodStatus status =
>              ion::CanEnterAtBranch(cx, script, regs.fp(), regs.pc);
> +        if (status == ion::Method_Error)
> +            goto error;

It somewhat scares me that JIT linker failure causes an error to be propagated.
Attachment #605253 - Flags: review?(sstangl) → review+
Attached file stack
> Comment on attachment 605253 [details] [diff] [review]
> fix

function f() {
    a = function() {}
}(function() {
    new f
}())

With this testcase, this patch seems to cause:

Assertion failure: CheckFrame(fp),
http://hg.mozilla.org/projects/ionmonkey/rev/da20de5ab4b8
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.