773108 - Crash [@ EmitAliasedVarOp]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

Function("\
for each(l in[(let(c)([])\
for each(l in[]))(let(c)w for(u in[]))(let(u)w for(l in[]))(let(c)w for(u in[]))\
(let(u)w for each(l in[]))(let(c)w for(u in[]))(let(u)w for(l in[]))(let(c)w for(u in[]))\
(let(l)w for(l in[]))(let(u)w for(l in['']))(let(c)w for(u in[]))(let(u)w for(l in[]))\
(let(c)w for(l in[]))(let(l)w for(l in[]))(let(c)w for(l in[]))(let(u)w for(l in[]))\
(let(c)w for(l in[]))(let(u)w for each(l in[x]))(let(w,x)w for(u in[]))]){}\
")

crashes js opt shell on m-c changeset e4857e5dfb51 without any CLI argument on 10.6.

s-s just-in-case even though this seems to just be a null crash.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   95788:4832054e4e42
user:        Luke Wagner
date:        Wed Apr 11 18:09:20 2012 -0700
summary:     Bug 659577 - emit ScopeCoordinate::hops (r=waldo)

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Julian, on 10.6 this asserts Valgrind (a binary from SVN circa June 22, 2012) too:

$ valgrind --dsymutil=yes ./js-opt-32-mozilla-central-darwin w10871-reduced.js 
==96146== Memcheck, a memory error detector
==96146== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==96146== Using Valgrind-3.8.0.SVN and LibVEX; rerun with -h for copyright info
==96146== Command: ./js-opt-32-mozilla-central-darwin w10871-reduced.js
==96146== 
--96146-- run: /usr/bin/dsymutil "./js-opt-32-mozilla-central-darwin"

valgrind: m_scheduler/scheduler.c:707 (do_pre_run_checks): Assertion 'VG_IS_32_ALIGNED(a_vex)' failed.
==96146==    at 0x3802DFA5: ???
==96146==    by 0x3802E168: ???
==96146==    by 0x38075687: ???
==96146==    by 0x38077517: ???
==96146==    by 0x3809C978: ???

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==96146==    at 0x8FE01030: _dyld_start (in /usr/lib/dyld)


Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using.  Thanks.

Comment 2

[Luke Wagner [:luke]]

Gah, more ancient genexpr bugs exposed by my patch.  This will always fault at low-memory, so not s-s.

Comment 3

[Luke Wagner [:luke]]

Attachment: fix and test

The cause is pretty simple: pn_blockid is a 20 bit bitfield and we are adding an arbitrary value to it in AdjustBlockId without checking for overflow.

Bonus feature: the caller of transplant() no longer ignores errors.

Comment 4

[Julian Seward [:jseward]]

(In reply to Gary Kwong [:gkw, :nth10sd] from comment #1)
> Julian, on 10.6 this asserts Valgrind (a binary from SVN circa June 22,
> 2012) too:
> valgrind: m_scheduler/scheduler.c:707 (do_pre_run_checks): Assertion
> 'VG_IS_32_ALIGNED(a_vex)' failed.

Unrelated .. this is a problem in V related to recently introduced AVX
instruction support.  Actually it's a bug in XCode when compiling V ..
As yet unresolved.

Comment 5

[Luke Wagner [:luke]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/a2ec9847277d

Comment 6

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/a2ec9847277d

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

> Unrelated .. this is a problem in V related to recently introduced AVX
> instruction support.  Actually it's a bug in XCode when compiling V ..
> As yet unresolved.

Just want to note that I retested on Valgrind SVN r12999 and the Valgrind error did not show up, but I tested on 10.7 and no longer have a 10.6 machine.

Comment 8

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug773108.js.