Last Comment Bug 732848 - IonMonkey: Crash [@ js::HeapPtr<js::ion::IonCode, unsigned int>::operator js::ion::IonCode*]
: IonMonkey: Crash [@ js::HeapPtr<js::ion::IonCode, unsigned int>::operator js:...
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86 Linux
-- major (vote)
: ---
Assigned To: David Anderson [:dvander]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
Reported: 2012-03-04 17:48 PST by Christian Holler (:decoder)
Modified: 2012-03-15 17:27 PDT (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

fix (10.24 KB, patch)
2012-03-12 17:52 PDT, David Anderson [:dvander]
sstangl: review+
Details | Diff | Splinter Review
stack (3.50 KB, text/plain)
2012-03-15 14:44 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details

Description User image Christian Holler (:decoder) 2012-03-04 17:48:38 PST
The following testcase crashes on ionmonkey revision 1fd6c40d3852 (run with --ion -n), tested on 64 bit:

for( var time = 0, year = 1969; year >= 0; year-- ) {}
Comment 1 User image Christian Holler (:decoder) 2012-03-04 17:49:38 PST
Comment 0 is wrong about arch, this is 32 bit.

Crash trace:

Program received signal SIGSEGV, Segmentation fault.
0x08114d32 in js::HeapPtr<js::ion::IonCode, unsigned int>::operator js::ion::IonCode* (this=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/gc/Barrier.h:233
233         operator T*() const { return value; }
Missing separate debuginfos, use: debuginfo-install libgcc-4.4.6-3.el6.i686 libstdc++-4.4.6-3.el6.i686
(gdb) bt
#0  0x08114d32 in js::HeapPtr<js::ion::IonCode, unsigned int>::operator js::ion::IonCode* (this=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/gc/Barrier.h:233
#1  0x08384e4b in js::ion::IonScript::method (this=0x0) at ../ion/IonCode.h:266
#2  0x08383da7 in js::ion::SideCannon (cx=0x86e0d98, fp=0xf79cf020, pc=0x86e8eca  <incomplete sequence \344\232>)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:983
#3  0x0813fdbf in js::Interpret (cx=0x86e0d98, entryFrame=0xf79cf020, interpMode=js::JSINTERP_NORMAL) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:1773
#4  0x0813b630 in js::RunScript (cx=0x86e0d98, script=0xf7706128, fp=0xf79cf020) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:463
#5  0x0813c135 in js::ExecuteKernel (cx=0x86e0d98, script=0xf7706128, scopeChain=..., thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=0x0, result=0x0)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:666
#6  0x0813c35e in js::Execute (cx=0x86e0d98, script=0xf7706128, scopeChainArg=..., rval=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:707
#7  0x08085024 in JS_ExecuteScript (cx=0x86e0d98, obj=0xf7703040, script=0xf7706128, rval=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsapi.cpp:5302
#8  0x0804c379 in Process (cx=0x86e0d98, obj=0xf7703040, filename=0xffffcfad "min.js", forceTTY=false) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/shell/js.cpp:478
#9  0x08058015 in ProcessArgs (cx=0x86e0d98, obj=0xf7703040, op=0xffffcc84) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/shell/js.cpp:5273
#10 0x08058262 in Shell (cx=0x86e0d98, op=0xffffcc84, envp=0xffffcdd8) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/shell/js.cpp:5356
#11 0x08058bda in main (argc=4, argv=0xffffcdc4, envp=0xffffcdd8) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/shell/js.cpp:5596
Comment 2 User image David Anderson [:dvander] 2012-03-12 17:52:50 PDT
Created attachment 605253 [details] [diff] [review]

The bug is that getting enterJIT/osrPrologue could GC, setting script->ion to NULL at a point where we *have* to execute ion code.

This patch refactors things to be more like CheckEnterAtBranch, so we compile & ensure the entry point in one step.
Comment 3 User image Sean Stangl [:sstangl] 2012-03-13 16:31:37 PDT
Comment on attachment 605253 [details] [diff] [review]

Review of attachment 605253 [details] [diff] [review]:

::: js/src/jsinterp.cpp
@@ +1843,5 @@
>      if (ion::IsEnabled()) {
>          ion::MethodStatus status =
>              ion::CanEnterAtBranch(cx, script, regs.fp(), regs.pc);
> +        if (status == ion::Method_Error)
> +            goto error;

It somewhat scares me that JIT linker failure causes an error to be propagated.
Comment 4 User image Gary Kwong [:gkw] [:nth10sd] 2012-03-15 14:44:47 PDT
Created attachment 606356 [details]

> Comment on attachment 605253 [details] [diff] [review]
> fix

function f() {
    a = function() {}
}(function() {
    new f

With this testcase, this patch seems to cause:

Assertion failure: CheckFrame(fp),
Comment 5 User image David Anderson [:dvander] 2012-03-15 17:27:25 PDT

Note You need to log in before you can comment on or make changes to this bug.