This is really bug 741544, but filing a new bug because the failspam (though useful for noticing the problem) makes it hard to read comments. I can reproduce on 64-bit OSX with python ../jit-test/jit_test.py --valgrind --jitflags =amn shell/js 673812 -so or shell/js -m -n -a -e "const platform='darwin'; const libdir='/Users/dmandelin/sources/mozilla-central/js/src/jit-test/lib/';" -f /Users/dmandelin/sources/mozilla-central/js/src/jit-test/lib/prolog.js -f /Users/dmandelin/sources/mozilla-central/js/src/jit-test/tests/jaeger/recompile/bug673812.js Annoyingly, it doesn't repro for me in gdb, but it does repro in valgrind. I'll attach a valgrind report, but it's in JITScript::chunkIndex, so guessing chunked compilation.
I tried reproducing this myself. It happens every 10 runs or so. I was able to bisect it to this: The first bad revision is: changeset: 90829:3a185f034768 user: Luke Wagner <firstname.lastname@example.org> date: Mon Apr 02 08:57:27 2012 -0700 summary: Bug 740654 - Hoist recursion checks out of Interpret into callers so that Interpret does not throw when trying to rejoin from mjit (r=bhackett) I also have a stack trace. It has over 1000 frames on it, so I only included the top. Given the patch's summary, it seems likely to be related to a stack overflow, I guess.
I looked at a core dump (I can also repro 1 in 10 on Linux). I'm thinking that bug 740654 is tickling a different bug by causing an over-recursed error to appear in a new place. What seems to be happening is that we are in ic::Call, we call stubs::UncachedCallHelper, that throws 'over recursed', and then later in CallCompiler::update, in the "if (!ucr.codeAddr && ucr.unjittable)" branch, we call disable() which passes f.chunk() == NULL to Repatcher which crashes becuase it assumes non-NULL. Brian, I don't understand chunked compilation, could you weigh in? The f.chunk() == NULL makes me think this this might be a simple error handling issue.
As discussed with luke on IRC, the issue is that the IC is trying to disable itself while the callee's frame is still on the stack (the callee throws but doesn't unwind).
Attachment #613432 - Flags: review?(luke)
Assignee: general → bhackett1024
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla14
You need to log in before you can comment on or make changes to this bug.