Last Comment Bug 743096 - IonMonkey: Crash [@ malloc_consolidate]
: IonMonkey: Crash [@ malloc_consolidate]
Status: RESOLVED FIXED
[jsbugmon:update]
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- major (vote)
: ---
Assigned To: Nicolas B. Pierron [:nbp]
:
:
Mentors:
: 741207 (view as bug list)
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
 
Reported: 2012-04-05 17:28 PDT by Christian Holler (:decoder)
Modified: 2013-02-07 05:14 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
InitProp: Fix dynamic slot index. (1.01 KB, patch)
2012-04-07 23:46 PDT, Nicolas B. Pierron [:nbp]
sstangl: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-04-05 17:28:21 PDT
The following testcase crashes on ionmonkey revision a9a18824b4c1 (run with --ion -n -m --ion-eager):


try {
function f() {
    var obj = {
        p0:0, p1:1, p2:2, p3:3, p4:4, p5:5, p6:6, p7:7, p8:8, p9:9, 
        p10:0, p11:1, set:2, p13:3, p14:4, p15:5, p16:6, p17:7, p18:8, p19:9, 
        with  : function() { return 42; }
    };
}
    actual = f();
} catch(exc1) {}
Comment 1 Christian Holler (:decoder) 2012-04-05 17:29:03 PDT
Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6ef123d in malloc_consolidate () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff6ef123d in malloc_consolidate () from /lib64/libc.so.6
#1  0x00007ffff6ef41c2 in _int_malloc () from /lib64/libc.so.6
#2  0x00007ffff6ef55ed in malloc () from /lib64/libc.so.6
#3  0x000000000041456f in js_malloc (bytes=16384) at ../dist/include/js/Utility.h:173
#4  0x0000000000414696 in js::SystemAllocPolicy::malloc_ (this=0x7ffff7fdec58, bytes=16384) at ../../jsalloc.h:66
#5  0x000000000046d178 in js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::createTable (alloc=..., capacity=1024)
    at ./dist/include/js/HashTable.h:360
#6  0x000000000046d34f in js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::changeTableSize (this=0x7ffff7fdec58, 
    deltaLog2=-1) at ./dist/include/js/HashTable.h:581
#7  0x000000000046cbd0 in js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::checkUnderloaded (this=0x7ffff7fdec58)
    at ./dist/include/js/HashTable.h:659
#8  0x000000000046bce8 in js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::Enum::~Enum (this=0x7fffffffd700, 
    __in_chrg=<value optimized out>) at ./dist/include/js/HashTable.h:265
#9  0x000000000046a967 in js_SweepAtomState (rt=0x7ffff7fb6010) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsatom.cpp:291
#10 0x00000000004b6555 in SweepPhase (cx=0xd05d30, gckind=js::GC_NORMAL) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsgc.cpp:3181
#11 0x00000000004b6f79 in MarkAndSweep (cx=0xd05d30, gckind=js::GC_NORMAL) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsgc.cpp:3293
#12 0x00000000004b7feb in GCCycle (cx=0xd05d30, full=true, budget=0, gckind=js::GC_NORMAL) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsgc.cpp:3653
#13 0x00000000004b8431 in Collect (cx=0xd05d30, full=true, budget=0, gckind=js::GC_NORMAL, reason=js::gcreason::LAST_CONTEXT) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsgc.cpp:3749
#14 0x00000000004b8600 in js::GC (cx=0xd05d30, full=true, gckind=js::GC_NORMAL, reason=js::gcreason::LAST_CONTEXT) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsgc.cpp:3770
#15 0x0000000000478f39 in js_DestroyContext (cx=0xd05d30, mode=JSDCM_FORCE_GC) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jscntxt.cpp:281
#16 0x000000000043800d in JS_DestroyContext (cx=0xd05d30) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsapi.cpp:1165
#17 0x0000000000411bb0 in DestroyContext (cx=0xd05d30, withGC=true) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/shell/js.cpp:4567
#18 0x0000000000413705 in main (argc=6, argv=0x7fffffffde38, envp=0x7fffffffde70) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/shell/js.cpp:5118
Comment 2 Christian Holler (:decoder) 2012-04-05 18:03:41 PDT
This seems to cause quite a lot of different signatures, would be nice if it could be fixed first. It's some kind of memory corruption.
Comment 3 Jesse Ruderman 2012-04-05 18:15:32 PDT
I can't reproduce on Mac.
Comment 4 Nicolas B. Pierron [:nbp] 2012-04-07 23:46:02 PDT
Created attachment 613163 [details] [diff] [review]
InitProp: Fix dynamic slot index.
Comment 5 Sean Stangl [:sstangl] 2012-04-09 15:41:51 PDT
Comment on attachment 613163 [details] [diff] [review]
InitProp: Fix dynamic slot index.

Review of attachment 613163 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/IonBuilder.cpp
@@ +2866,5 @@
>  
>      MSlots *slots = MSlots::New(obj);
>      current->add(slots);
>  
> +    MStoreSlot *store = MStoreSlot::New(slots, baseObj->dynamicSlotIndex(shape->slot()), value);

Good catch. The isFixedSlot() case is handled above.
Comment 6 Nicolas B. Pierron [:nbp] 2012-04-09 18:44:09 PDT
https://hg.mozilla.org/projects/ionmonkey/rev/e57e79302ed6
Comment 7 Nicolas B. Pierron [:nbp] 2012-04-18 11:11:00 PDT
*** Bug 741207 has been marked as a duplicate of this bug. ***
Comment 8 Christian Holler (:decoder) 2013-02-07 05:14:05 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397

Note You need to log in before you can comment on or make changes to this bug.