Closed
Bug 756235
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ js::gc::ArenaHeader::allocated]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: jandem)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:ignore])
Crash Data
Attachments
(1 file)
3.19 KB,
patch
|
sstangl
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on ionmonkey revision 14735b4dbccc (run with --ion -n): gczeal(2); try { function complex(aReal, aImag) { let Z = new complex(0.0, 0.0); } function f(trace) { const width = 60; const height = 60; for (let img_x = 0; img_x < width; ((function() {}).abstract)) { for (let img_y = 0; img_y < height; img_y++) { let C = new complex(-2 + (img_x / width) * 3, -1.5 + (img_y / height) * 3); } } } var timenonjit = f(false); } catch(exc1) {}
Reporter | ||
Comment 1•12 years ago
|
||
Please note that this test requires multiple runs to reproduce. Crash backtrace: #0 0x0000000000405396 in js::gc::ArenaHeader::allocated (this=0x0) at ../../gc/Heap.h:468 #1 0x00000000004053e8 in js::gc::ArenaHeader::getAllocKind (this=0x0) at ../../gc/Heap.h:498 #2 0x0000000000424902 in js::gc::Cell::getAllocKind (this=0x1c0) at ../gc/Heap.h:942 #3 0x00000000004af809 in js::gc::GetGCThingTraceKind (thing=0x1c0) at ionmonkey/js/src/jsgcinlines.h:63 #4 0x00000000006f05cf in js::gc::MarkGCThingRoot (trc=0x7ffff7fb4228, thingp=0x7ffffff84ea0, name=0x997c3c "ion-gc-spill") at ionmonkey/js/src/gc/Marking.cpp:270 #5 0x00000000006f1388 in js::gc::MarkThingOrValueRoot (trc=0x7ffff7fb4228, word=0x7ffffff84ea0, name=0x997c3c "ion-gc-spill") at ionmonkey/js/src/gc/Marking.cpp:541 #6 0x0000000000809b97 in MarkIonJSFrame (trc=0x7ffff7fb4228, frame=...) at ionmonkey/js/src/ion/IonFrames.cpp:498 #7 0x0000000000809e74 in MarkIonActivation (trc=0x7ffff7fb4228, top=0x7ffffff84e98 "\315+\364\367\377\177", activation=0x7fffffffc5c0) at ionmonkey/js/src/ion/IonFrames.cpp:573 #8 0x0000000000809f41 in js::ion::MarkIonActivations (rt=0x7ffff7fb4010, trc=0x7ffff7fb4228) at ionmonkey/js/src/ion/IonFrames.cpp:594 #9 0x00000000004c49e6 in js::MarkRuntime (trc=0x7ffff7fb4228, useSavedRoots=false) at ionmonkey/js/src/jsgc.cpp:2378 #10 0x00000000004c5cf8 in BeginMarkPhase (rt=0x7ffff7fb4010) at ionmonkey/js/src/jsgc.cpp:3033 #11 0x00000000004c72b8 in NonIncrementalMark (rt=0x7ffff7fb4010, gckind=js::GC_NORMAL) at ionmonkey/js/src/jsgc.cpp:3335 #12 0x00000000004c82e9 in GCCycle (rt=0x7ffff7fb4010, incremental=false, budget=0, gckind=js::GC_NORMAL) at ionmonkey/js/src/jsgc.cpp:3682 #13 0x00000000004c8885 in Collect (rt=0x7ffff7fb4010, incremental=false, budget=0, gckind=js::GC_NORMAL, reason=js::gcreason::DEBUG_GC) at ionmonkey/js/src/jsgc.cpp:3783 #14 0x00000000004c8a73 in js::GC (rt=0x7ffff7fb4010, gckind=js::GC_NORMAL, reason=js::gcreason::DEBUG_GC) at ionmonkey/js/src/jsgc.cpp:3807 #15 0x00000000004c264e in js::gc::RunLastDitchGC (cx=0xd9a5a0, reason=js::gcreason::DEBUG_GC) at ionmonkey/js/src/jsgc.cpp:1701 #16 0x00000000004c9842 in js::gc::RunDebugGC (cx=0xd9a5a0) at ionmonkey/js/src/jsgc.cpp:4026 #17 0x000000000046a862 in js::gc::NewGCThing<JSObject> (cx=0xd9a5a0, kind=js::gc::FINALIZE_OBJECT2, thingSize=48) at ../jsgcinlines.h:446 #18 0x0000000000459173 in js_NewGCObject (cx=0xd9a5a0, kind=js::gc::FINALIZE_OBJECT2) at ../jsgcinlines.h:492 #19 0x0000000000527ed8 in JSObject::create (cx=0xd9a5a0, kind=js::gc::FINALIZE_OBJECT2, shape=..., type=..., slots=0x0) at ../jsobjinlines.h:849 #20 0x0000000000548751 in NewObject (cx=0xd9a5a0, clasp=0xd4ccc0, type=0x7ffff0900280, parent=0x7ffff0903060, kind=js::gc::FINALIZE_OBJECT2) at ionmonkey/js/src/jsobj.cpp:2763 #21 0x0000000000548a6b in js::NewObjectWithGivenProto (cx=0xd9a5a0, clasp=0xd4ccc0, proto=0x7ffff0904190, parent=0x7ffff0903060, kind=js::gc::FINALIZE_OBJECT2) at ionmonkey/js/src/jsobj.cpp:2807 #22 0x000000000042af8e in js::NewObjectWithGivenProto (cx=0xd9a5a0, clasp=0xd4ccc0, proto=0x7ffff0904190, parent=0x7ffff0903060) at ../jsobjinlines.h:1375 #23 0x000000000066a1e9 in js::CreateBlankProto (cx=0xd9a5a0, clasp=0xd4ccc0, proto=..., global=...) at ionmonkey/js/src/vm/GlobalObject.cpp:409 #24 0x000000000066a2c0 in js::GlobalObject::createBlankPrototypeInheriting (this=0x7ffff0903060, cx=0xd9a5a0, clasp=0xd4ccc0, proto=...) at ionmonkey/js/src/vm/GlobalObject.cpp:429 #25 0x00000000004ab5af in InitErrorClass (cx=0xd9a5a0, global=..., type=1, proto=...) at ionmonkey/js/src/jsexn.cpp:869 #26 0x00000000004abe75 in js_InitExceptionClasses (cx=0xd9a5a0, obj=0x7ffff0903060) at ionmonkey/js/src/jsexn.cpp:933 #27 0x000000000054e087 in js_GetClassObject (cx=0xd9a5a0, obj=0x7ffff0903060, key=JSProto_InternalError, objp=0x7ffffff84968) at ionmonkey/js/src/jsobj.cpp:4244 #28 0x000000000054e29f in js_FindClassObject (cx=0xd9a5a0, start=0x0, protoKey=JSProto_InternalError, vp=0x7ffffff849d0, clasp=0x0) at ionmonkey/js/src/jsobj.cpp:4278 #29 0x0000000000554195 in js::FindClassPrototype (cx=0xd9a5a0, scopeobj=0x0, protoKey=JSProto_InternalError, protop=0x7ffffff84b68, clasp=0x0) at ionmonkey/js/src/jsobj.cpp:5797 #30 0x0000000000554353 in js_GetClassPrototype (cx=0xd9a5a0, scopeobj=0x0, protoKey=JSProto_InternalError, protop=0x7ffffff84b68, clasp=0x0) at ionmonkey/js/src/jsobj.cpp:5839 #31 0x00000000004ac2aa in js_ErrorToException (cx=0xd9a5a0, message=0xda4960 "too much recursion", reportp=0x7ffffff84c80, callback=0x4865cb <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0) at ionmonkey/js/src/jsexn.cpp:1058 #32 0x0000000000484e46 in ReportError (cx=0xd9a5a0, message=0xda4960 "too much recursion", reportp=0x7ffffff84c80, callback=0x4865cb <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0) at ionmonkey/js/src/jscntxt.cpp:356 #33 0x0000000000485fe4 in js_ReportErrorNumberVA(JSContext *, unsigned int, JSErrorCallback, void *, unsigned int, JSBool, typedef __va_list_tag __va_list_tag *) (cx=0xd9a5a0, flags=0, callback=0x4865cb <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0, errorNumber=26, charArgs=1, ap=0x7ffffff84d30) at ionmonkey/js/src/jscntxt.cpp:740 #34 0x000000000044b6fc in JS_ReportErrorNumber (cx=0xd9a5a0, errorCallback=0x4865cb <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0, errorNumber=26) at ionmonkey/js/src/jsapi.cpp:6200 #35 0x00000000004851ce in js_ReportOverRecursed (maybecx=0xd9a5a0) at ionmonkey/js/src/jscntxt.cpp:447 #36 0x000000000085f975 in js::ion::ReportOverRecursed (cx=0xd9a5a0) at ionmonkey/js/src/ion/VMFunctions.cpp:90 #37 0x00007ffff7f42526 in ?? ()
This one does not crash for me on either the given cset or tip, debug linux 64 and 32. Can anyone else reproduce it?
Assignee | ||
Comment 3•12 years ago
|
||
(In reply to David Anderson [:dvander] from comment #2) > This one does not crash for me on either the given cset or tip, debug linux > 64 and 32. Can anyone else reproduce it? I can't reproduce it on OS X either.
Reporter | ||
Comment 4•12 years ago
|
||
Putting this on ignore first since the bug does not reproduce in a stable way. Will check reproduction again manually now.
Whiteboard: [jsbugmon:update] → [jsbugmon:ignore]
Reporter | ||
Comment 5•12 years ago
|
||
I just reproduced this again on tip (8c54899dae82), but I had to run it twice. This is x86-64 Linux and the build configure is with: --enable-debug --disable-optimize --enable-valgrind --enable-oom-backtrace If you still cannot reproduce this, then I can provide dvander/jandem a login to one of the fuzz servers so they can reproduce and debug it there.
Assignee | ||
Comment 6•12 years ago
|
||
I can reproduce it on Linux.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Assignee | ||
Comment 7•12 years ago
|
||
LFunctionEnvironment can appear before LCheckOverRecursed, so if the recursion check fails we need to save all live registers or a GC triggered by ReportOverRecursed could crash.
Attachment #625098 -
Flags: review?(sstangl)
Comment 8•12 years ago
|
||
Comment on attachment 625098 [details] [diff] [review] Patch Review of attachment 625098 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/CodeGenerator.cpp @@ +805,5 @@ > typedef bool (*pf)(JSContext *); > static const VMFunction ReportOverRecursedInfo = > FunctionInfo<pf>(ReportOverRecursed); > > + saveLive(ool->lir()); This is strongly deserving of an explanatory comment. The description given in Comment 7 is likely fine.
Attachment #625098 -
Flags: review?(sstangl) → review+
Assignee | ||
Comment 9•12 years ago
|
||
Pushed with nit fixed: https://hg.mozilla.org/projects/ionmonkey/rev/9791b2e62b00
Group: core-security
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 11•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug756235.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•