Last Comment Bug 756235 - IonMonkey: Crash [@ js::gc::ArenaHeader::allocated]
: IonMonkey: Crash [@ js::gc::ArenaHeader::allocated]
Status: RESOLVED FIXED
[jsbugmon:ignore]
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- major (vote)
: ---
Assigned To: Jan de Mooij [:jandem] (PTO until July 31)
:
Mentors:
: 756776 (view as bug list)
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
 
Reported: 2012-05-17 13:14 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 07:39 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Patch (3.19 KB, patch)
2012-05-18 07:17 PDT, Jan de Mooij [:jandem] (PTO until July 31)
sstangl: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-05-17 13:14:50 PDT
The following testcase crashes on ionmonkey revision 14735b4dbccc (run with --ion -n):


gczeal(2);
try {
function complex(aReal, aImag) {
  let Z = new complex(0.0, 0.0);
}
function f(trace) {
  const width = 60;
  const height = 60;
  for (let img_x = 0; img_x < width; ((function() {}).abstract)) {
    for (let img_y = 0; img_y < height; img_y++) {
      let C = new complex(-2 + (img_x / width) * 3, -1.5 + (img_y / height) * 3);
    }
  }
}
var timenonjit = f(false);
} catch(exc1) {}
Comment 1 Christian Holler (:decoder) 2012-05-17 13:15:56 PDT
Please note that this test requires multiple runs to reproduce.

Crash backtrace:

#0  0x0000000000405396 in js::gc::ArenaHeader::allocated (this=0x0) at ../../gc/Heap.h:468
#1  0x00000000004053e8 in js::gc::ArenaHeader::getAllocKind (this=0x0) at ../../gc/Heap.h:498
#2  0x0000000000424902 in js::gc::Cell::getAllocKind (this=0x1c0) at ../gc/Heap.h:942
#3  0x00000000004af809 in js::gc::GetGCThingTraceKind (thing=0x1c0) at ionmonkey/js/src/jsgcinlines.h:63
#4  0x00000000006f05cf in js::gc::MarkGCThingRoot (trc=0x7ffff7fb4228, thingp=0x7ffffff84ea0, name=0x997c3c "ion-gc-spill") at ionmonkey/js/src/gc/Marking.cpp:270
#5  0x00000000006f1388 in js::gc::MarkThingOrValueRoot (trc=0x7ffff7fb4228, word=0x7ffffff84ea0, name=0x997c3c "ion-gc-spill") at ionmonkey/js/src/gc/Marking.cpp:541
#6  0x0000000000809b97 in MarkIonJSFrame (trc=0x7ffff7fb4228, frame=...) at ionmonkey/js/src/ion/IonFrames.cpp:498
#7  0x0000000000809e74 in MarkIonActivation (trc=0x7ffff7fb4228, top=0x7ffffff84e98 "\315+\364\367\377\177", activation=0x7fffffffc5c0) at ionmonkey/js/src/ion/IonFrames.cpp:573
#8  0x0000000000809f41 in js::ion::MarkIonActivations (rt=0x7ffff7fb4010, trc=0x7ffff7fb4228) at ionmonkey/js/src/ion/IonFrames.cpp:594
#9  0x00000000004c49e6 in js::MarkRuntime (trc=0x7ffff7fb4228, useSavedRoots=false) at ionmonkey/js/src/jsgc.cpp:2378
#10 0x00000000004c5cf8 in BeginMarkPhase (rt=0x7ffff7fb4010) at ionmonkey/js/src/jsgc.cpp:3033
#11 0x00000000004c72b8 in NonIncrementalMark (rt=0x7ffff7fb4010, gckind=js::GC_NORMAL) at ionmonkey/js/src/jsgc.cpp:3335
#12 0x00000000004c82e9 in GCCycle (rt=0x7ffff7fb4010, incremental=false, budget=0, gckind=js::GC_NORMAL) at ionmonkey/js/src/jsgc.cpp:3682
#13 0x00000000004c8885 in Collect (rt=0x7ffff7fb4010, incremental=false, budget=0, gckind=js::GC_NORMAL, reason=js::gcreason::DEBUG_GC) at ionmonkey/js/src/jsgc.cpp:3783
#14 0x00000000004c8a73 in js::GC (rt=0x7ffff7fb4010, gckind=js::GC_NORMAL, reason=js::gcreason::DEBUG_GC) at ionmonkey/js/src/jsgc.cpp:3807
#15 0x00000000004c264e in js::gc::RunLastDitchGC (cx=0xd9a5a0, reason=js::gcreason::DEBUG_GC) at ionmonkey/js/src/jsgc.cpp:1701
#16 0x00000000004c9842 in js::gc::RunDebugGC (cx=0xd9a5a0) at ionmonkey/js/src/jsgc.cpp:4026
#17 0x000000000046a862 in js::gc::NewGCThing<JSObject> (cx=0xd9a5a0, kind=js::gc::FINALIZE_OBJECT2, thingSize=48) at ../jsgcinlines.h:446
#18 0x0000000000459173 in js_NewGCObject (cx=0xd9a5a0, kind=js::gc::FINALIZE_OBJECT2) at ../jsgcinlines.h:492
#19 0x0000000000527ed8 in JSObject::create (cx=0xd9a5a0, kind=js::gc::FINALIZE_OBJECT2, shape=..., type=..., slots=0x0) at ../jsobjinlines.h:849
#20 0x0000000000548751 in NewObject (cx=0xd9a5a0, clasp=0xd4ccc0, type=0x7ffff0900280, parent=0x7ffff0903060, kind=js::gc::FINALIZE_OBJECT2) at ionmonkey/js/src/jsobj.cpp:2763
#21 0x0000000000548a6b in js::NewObjectWithGivenProto (cx=0xd9a5a0, clasp=0xd4ccc0, proto=0x7ffff0904190, parent=0x7ffff0903060, kind=js::gc::FINALIZE_OBJECT2)
    at ionmonkey/js/src/jsobj.cpp:2807
#22 0x000000000042af8e in js::NewObjectWithGivenProto (cx=0xd9a5a0, clasp=0xd4ccc0, proto=0x7ffff0904190, parent=0x7ffff0903060) at ../jsobjinlines.h:1375
#23 0x000000000066a1e9 in js::CreateBlankProto (cx=0xd9a5a0, clasp=0xd4ccc0, proto=..., global=...) at ionmonkey/js/src/vm/GlobalObject.cpp:409
#24 0x000000000066a2c0 in js::GlobalObject::createBlankPrototypeInheriting (this=0x7ffff0903060, cx=0xd9a5a0, clasp=0xd4ccc0, proto=...) at ionmonkey/js/src/vm/GlobalObject.cpp:429
#25 0x00000000004ab5af in InitErrorClass (cx=0xd9a5a0, global=..., type=1, proto=...) at ionmonkey/js/src/jsexn.cpp:869
#26 0x00000000004abe75 in js_InitExceptionClasses (cx=0xd9a5a0, obj=0x7ffff0903060) at ionmonkey/js/src/jsexn.cpp:933
#27 0x000000000054e087 in js_GetClassObject (cx=0xd9a5a0, obj=0x7ffff0903060, key=JSProto_InternalError, objp=0x7ffffff84968) at ionmonkey/js/src/jsobj.cpp:4244
#28 0x000000000054e29f in js_FindClassObject (cx=0xd9a5a0, start=0x0, protoKey=JSProto_InternalError, vp=0x7ffffff849d0, clasp=0x0) at ionmonkey/js/src/jsobj.cpp:4278
#29 0x0000000000554195 in js::FindClassPrototype (cx=0xd9a5a0, scopeobj=0x0, protoKey=JSProto_InternalError, protop=0x7ffffff84b68, clasp=0x0) at ionmonkey/js/src/jsobj.cpp:5797
#30 0x0000000000554353 in js_GetClassPrototype (cx=0xd9a5a0, scopeobj=0x0, protoKey=JSProto_InternalError, protop=0x7ffffff84b68, clasp=0x0) at ionmonkey/js/src/jsobj.cpp:5839
#31 0x00000000004ac2aa in js_ErrorToException (cx=0xd9a5a0, message=0xda4960 "too much recursion", reportp=0x7ffffff84c80, callback=0x4865cb <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0)
    at ionmonkey/js/src/jsexn.cpp:1058
#32 0x0000000000484e46 in ReportError (cx=0xd9a5a0, message=0xda4960 "too much recursion", reportp=0x7ffffff84c80, callback=0x4865cb <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0)
    at ionmonkey/js/src/jscntxt.cpp:356
#33 0x0000000000485fe4 in js_ReportErrorNumberVA(JSContext *, unsigned int, JSErrorCallback, void *, unsigned int, JSBool, typedef __va_list_tag __va_list_tag *) (cx=0xd9a5a0, flags=0, 
    callback=0x4865cb <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0, errorNumber=26, charArgs=1, ap=0x7ffffff84d30) at ionmonkey/js/src/jscntxt.cpp:740
#34 0x000000000044b6fc in JS_ReportErrorNumber (cx=0xd9a5a0, errorCallback=0x4865cb <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0, errorNumber=26)
    at ionmonkey/js/src/jsapi.cpp:6200
#35 0x00000000004851ce in js_ReportOverRecursed (maybecx=0xd9a5a0) at ionmonkey/js/src/jscntxt.cpp:447
#36 0x000000000085f975 in js::ion::ReportOverRecursed (cx=0xd9a5a0) at ionmonkey/js/src/ion/VMFunctions.cpp:90
#37 0x00007ffff7f42526 in ?? ()
Comment 2 David Anderson [:dvander] 2012-05-18 01:48:02 PDT
This one does not crash for me on either the given cset or tip, debug linux 64 and 32. Can anyone else reproduce it?
Comment 3 Jan de Mooij [:jandem] (PTO until July 31) 2012-05-18 02:16:13 PDT
(In reply to David Anderson [:dvander] from comment #2)
> This one does not crash for me on either the given cset or tip, debug linux
> 64 and 32. Can anyone else reproduce it?

I can't reproduce it on OS X either.
Comment 4 Christian Holler (:decoder) 2012-05-18 03:23:16 PDT
Putting this on ignore first since the bug does not reproduce in a stable way. Will check reproduction again manually now.
Comment 5 Christian Holler (:decoder) 2012-05-18 04:03:07 PDT
I just reproduced this again on tip (8c54899dae82), but I had to run it twice. This is x86-64 Linux and the build configure is with:

--enable-debug --disable-optimize --enable-valgrind --enable-oom-backtrace

If you still cannot reproduce this, then I can provide dvander/jandem a login to one of the fuzz servers so they can reproduce and debug it there.
Comment 6 Jan de Mooij [:jandem] (PTO until July 31) 2012-05-18 06:26:31 PDT
I can reproduce it on Linux.
Comment 7 Jan de Mooij [:jandem] (PTO until July 31) 2012-05-18 07:17:30 PDT
Created attachment 625098 [details] [diff] [review]
Patch

LFunctionEnvironment can appear before LCheckOverRecursed, so if the recursion check fails we need to save all live registers or a GC triggered by ReportOverRecursed could crash.
Comment 8 Sean Stangl [:sstangl] 2012-05-18 14:39:53 PDT
Comment on attachment 625098 [details] [diff] [review]
Patch

Review of attachment 625098 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/CodeGenerator.cpp
@@ +805,5 @@
>      typedef bool (*pf)(JSContext *);
>      static const VMFunction ReportOverRecursedInfo =
>          FunctionInfo<pf>(ReportOverRecursed);
>  
> +    saveLive(ool->lir());

This is strongly deserving of an explanatory comment. The description given in Comment 7 is likely fine.
Comment 9 Jan de Mooij [:jandem] (PTO until July 31) 2012-05-21 02:17:15 PDT
Pushed with nit fixed:

https://hg.mozilla.org/projects/ionmonkey/rev/9791b2e62b00
Comment 10 David Anderson [:dvander] 2012-05-21 16:42:27 PDT
*** Bug 756776 has been marked as a duplicate of this bug. ***
Comment 11 Christian Holler (:decoder) 2013-01-14 07:39:21 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug756235.js.

Note You need to log in before you can comment on or make changes to this bug.