732848 - IonMonkey: Crash [@ js::HeapPtr<js::ion::IonCode, unsigned int>::operator js::ion::IonCode*]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on ionmonkey revision 1fd6c40d3852 (run with --ion -n), tested on 64 bit:


gczeal(2,1);
for( var time = 0, year = 1969; year >= 0; year-- ) {}

Comment 1

[Christian Holler (:decoder)]

Comment 0 is wrong about arch, this is 32 bit.

Crash trace:

Program received signal SIGSEGV, Segmentation fault.
0x08114d32 in js::HeapPtr<js::ion::IonCode, unsigned int>::operator js::ion::IonCode* (this=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/gc/Barrier.h:233
233         operator T*() const { return value; }
Missing separate debuginfos, use: debuginfo-install libgcc-4.4.6-3.el6.i686 libstdc++-4.4.6-3.el6.i686
(gdb) bt
#0  0x08114d32 in js::HeapPtr<js::ion::IonCode, unsigned int>::operator js::ion::IonCode* (this=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/gc/Barrier.h:233
#1  0x08384e4b in js::ion::IonScript::method (this=0x0) at ../ion/IonCode.h:266
#2  0x08383da7 in js::ion::SideCannon (cx=0x86e0d98, fp=0xf79cf020, pc=0x86e8eca  <incomplete sequence \344\232>)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:983
#3  0x0813fdbf in js::Interpret (cx=0x86e0d98, entryFrame=0xf79cf020, interpMode=js::JSINTERP_NORMAL) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:1773
#4  0x0813b630 in js::RunScript (cx=0x86e0d98, script=0xf7706128, fp=0xf79cf020) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:463
#5  0x0813c135 in js::ExecuteKernel (cx=0x86e0d98, script=0xf7706128, scopeChain=..., thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=0x0, result=0x0)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:666
#6  0x0813c35e in js::Execute (cx=0x86e0d98, script=0xf7706128, scopeChainArg=..., rval=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:707
#7  0x08085024 in JS_ExecuteScript (cx=0x86e0d98, obj=0xf7703040, script=0xf7706128, rval=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsapi.cpp:5302
#8  0x0804c379 in Process (cx=0x86e0d98, obj=0xf7703040, filename=0xffffcfad "min.js", forceTTY=false) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/shell/js.cpp:478
#9  0x08058015 in ProcessArgs (cx=0x86e0d98, obj=0xf7703040, op=0xffffcc84) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/shell/js.cpp:5273
#10 0x08058262 in Shell (cx=0x86e0d98, op=0xffffcc84, envp=0xffffcdd8) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/shell/js.cpp:5356
#11 0x08058bda in main (argc=4, argv=0xffffcdc4, envp=0xffffcdd8) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/shell/js.cpp:5596

Comment 2

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: fix

The bug is that getting enterJIT/osrPrologue could GC, setting script->ion to NULL at a point where we *have* to execute ion code.

This patch refactors things to be more like CheckEnterAtBranch, so we compile & ensure the entry point in one step.

Comment 3

[Sean Stangl [:sstangl]]

Comment on attachment 605253 [details] [diff] [review]
fix

Review of attachment 605253 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsinterp.cpp
@@ +1843,5 @@
>      if (ion::IsEnabled()) {
>          ion::MethodStatus status =
>              ion::CanEnterAtBranch(cx, script, regs.fp(), regs.pc);
> +        if (status == ion::Method_Error)
> +            goto error;

It somewhat scares me that JIT linker failure causes an error to be propagated.

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

> Comment on attachment 605253 [details] [diff] [review]
> fix

function f() {
    a = function() {}
}(function() {
    new f
}())

With this testcase, this patch seems to cause:

Assertion failure: CheckFrame(fp),

Comment 5

[David Anderson [:dvander] - inactive, e-mail if emergency]

http://hg.mozilla.org/projects/ionmonkey/rev/da20de5ab4b8