The default bug view has changed. See this FAQ.

Consistent failure of jit-test bug673812.js on 64-bit with -a -m -n

RESOLVED FIXED in mozilla14

Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: dmandelin, Assigned: bhackett)

Tracking

({regression})

Trunk
mozilla14
regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
This is really bug 741544, but filing a new bug because the failspam (though useful for noticing the problem) makes it hard to read comments. 

I can reproduce on 64-bit OSX with

  python ../jit-test/jit_test.py --valgrind --jitflags
=amn shell/js 673812 -so

or 

  shell/js -m -n -a -e "const platform='darwin'; const libdir='/Users/dmandelin/sources/mozilla-central/js/src/jit-test/lib/';" -f /Users/dmandelin/sources/mozilla-central/js/src/jit-test/lib/prolog.js -f /Users/dmandelin/sources/mozilla-central/js/src/jit-test/tests/jaeger/recompile/bug673812.js

Annoyingly, it doesn't repro for me in gdb, but it does repro in valgrind. I'll attach a valgrind report, but it's in JITScript::chunkIndex, so guessing chunked compilation.
Created attachment 612760 [details]
stack trace

I tried reproducing this myself. It happens every 10 runs or so. I was able to bisect it to this:

The first bad revision is:
changeset:   90829:3a185f034768
user:        Luke Wagner <luke@mozilla.com>
date:        Mon Apr 02 08:57:27 2012 -0700
summary:     Bug 740654 - Hoist recursion checks out of Interpret into callers so that Interpret does not throw when trying to rejoin from mjit (r=bhackett)

I also have a stack trace. It has over 1000 frames on it, so I only included the top. Given the patch's summary, it seems likely to be related to a stack overflow, I guess.
Keywords: regression

Comment 2

5 years ago
I looked at a core dump (I can also repro 1 in 10 on Linux).  I'm thinking that bug 740654 is tickling a different bug by causing an over-recursed error to appear in a new place.  What seems to be happening is that we are in ic::Call, we call stubs::UncachedCallHelper, that throws 'over recursed', and then later in CallCompiler::update, in the "if (!ucr.codeAddr && ucr.unjittable)" branch, we call disable() which passes f.chunk() == NULL to Repatcher which crashes becuase it assumes non-NULL.

Brian, I don't understand chunked compilation, could you weigh in?  The f.chunk() == NULL makes me think this this might be a simple error handling issue.

Updated

5 years ago
Duplicate of this bug: 743706
Created attachment 613432 [details] [diff] [review]
patch

As discussed with luke on IRC, the issue is that the IC is trying to disable itself while the callee's frame is still on the stack (the callee throws but doesn't unwind).
Attachment #613432 - Flags: review?(luke)

Updated

5 years ago
Attachment #613432 - Flags: review?(luke) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/2336a559ec7c
https://hg.mozilla.org/mozilla-central/rev/2336a559ec7c
Assignee: general → bhackett1024
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla14
You need to log in before you can comment on or make changes to this bug.