Closed Bug 773108 Opened 10 years ago Closed 10 years ago

Crash [@ EmitAliasedVarOp]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla16

People

(Reporter: gkw, Assigned: luke)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [js:t])

Crash Data

Attachments

(2 files)

stack
9.33 KB, text/plain
Details
fix and test
5.71 KB, patch
dvander
: review+
Details | Diff | Splinter Review
Attached file stack 
Function("\
for each(l in[(let(c)([])\
for each(l in[]))(let(c)w for(u in[]))(let(u)w for(l in[]))(let(c)w for(u in[]))\
(let(u)w for each(l in[]))(let(c)w for(u in[]))(let(u)w for(l in[]))(let(c)w for(u in[]))\
(let(l)w for(l in[]))(let(u)w for(l in['']))(let(c)w for(u in[]))(let(u)w for(l in[]))\
(let(c)w for(l in[]))(let(l)w for(l in[]))(let(c)w for(l in[]))(let(u)w for(l in[]))\
(let(c)w for(l in[]))(let(u)w for each(l in[x]))(let(w,x)w for(u in[]))]){}\
")

crashes js opt shell on m-c changeset e4857e5dfb51 without any CLI argument on 10.6.

s-s just-in-case even though this seems to just be a null crash.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   95788:4832054e4e42
user:        Luke Wagner
date:        Wed Apr 11 18:09:20 2012 -0700
summary:     Bug 659577 - emit ScopeCoordinate::hops (r=waldo)
Julian, on 10.6 this asserts Valgrind (a binary from SVN circa June 22, 2012) too:

$ valgrind --dsymutil=yes ./js-opt-32-mozilla-central-darwin w10871-reduced.js 
==96146== Memcheck, a memory error detector
==96146== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==96146== Using Valgrind-3.8.0.SVN and LibVEX; rerun with -h for copyright info
==96146== Command: ./js-opt-32-mozilla-central-darwin w10871-reduced.js
==96146== 
--96146-- run: /usr/bin/dsymutil "./js-opt-32-mozilla-central-darwin"

valgrind: m_scheduler/scheduler.c:707 (do_pre_run_checks): Assertion 'VG_IS_32_ALIGNED(a_vex)' failed.
==96146==    at 0x3802DFA5: ???
==96146==    by 0x3802E168: ???
==96146==    by 0x38075687: ???
==96146==    by 0x38077517: ???
==96146==    by 0x3809C978: ???

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==96146==    at 0x8FE01030: _dyld_start (in /usr/lib/dyld)


Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using.  Thanks.
Gah, more ancient genexpr bugs exposed by my patch.  This will always fault at low-memory, so not s-s.
Group: core-security
Attached patch fix and testSplinter Review 
The cause is pretty simple: pn_blockid is a 20 bit bitfield and we are adding an arbitrary value to it in AdjustBlockId without checking for overflow.

Bonus feature: the caller of transplant() no longer ignores errors.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #641356 - Flags: review?(dvander)
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #1)
> Julian, on 10.6 this asserts Valgrind (a binary from SVN circa June 22,
> 2012) too:
> valgrind: m_scheduler/scheduler.c:707 (do_pre_run_checks): Assertion
> 'VG_IS_32_ALIGNED(a_vex)' failed.

Unrelated .. this is a problem in V related to recently introduced AVX
instruction support.  Actually it's a bug in XCode when compiling V ..
As yet unresolved.
Attachment #641356 - Flags: review?(dvander) → review+
Whiteboard: js-triage-needed → [js:t]
https://hg.mozilla.org/mozilla-central/rev/a2ec9847277d
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
> Unrelated .. this is a problem in V related to recently introduced AVX
> instruction support.  Actually it's a bug in XCode when compiling V ..
> As yet unresolved.

Just want to note that I retested on Valgrind SVN r12999 and the Valgrind error did not show up, but I tested on 10.7 and no longer have a 10.6 machine.
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug773108.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.