Closed Bug 789342 Opened 12 years ago Closed 11 years ago

Conditional jump or move depends on uninitialised value(s) [@ js::mjit::CallsiteMatches]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: gkw, Unassigned)

Details

(Keywords: testcase, valgrind, Whiteboard: [js:t])

Attachments

(1 file)

vgdb output (in gdb)
13.08 KB, text/plain
Details 
The upcoming attached testcase shows the following error on 32-bit js debug and opt shell on m-c changeset ca630290d89d :

==30769== Conditional jump or move depends on uninitialised value(s)
==30769==    at 0x845F2C4: js::mjit::CallsiteMatches(unsigned char*, js::mjit::CallSite const&, void*) (Retcon.cpp:43)
==30769==    by 0x845FAC0: js::mjit::Recompiler::expandInlineFrames(JSCompartment*, js::StackFrame*, js::mjit::CallSite*, js::StackFrame*, js::VMFrame*) (Retcon.cpp:261)
==30769==    by 0x845FCFD: js::mjit::ExpandInlineFrames(JSCompartment*) (Retcon.cpp:315)
==30769==    by 0x813BDAF: js::types::TypeCompartment::processPendingRecompiles(js::FreeOp*) (jsinfer.cpp:2194)
==30769==    by 0x80A66C2: js::types::AutoEnterTypeInference::~AutoEnterTypeInference() (jsinferinlines.h:266)
==30769==    by 0x81459CC: js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&) (jsinfer.cpp:5159)
==30769==    by 0x815D4D4: js::types::TypeScript::Monitor(JSContext*, JSScript*, unsigned char*, JS::Value const&) (jsinferinlines.h:738)
==30769==    by 0x843E0A8: js::mjit::CallCompiler::generateNativeStub() (MonoIC.cpp:777)
==30769==    by 0x843F033: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1007)
==30769==    by 0x6B48A69: ???
==30769==    by 0x8685FF3: ??? (in /home/fuzz2lin/Desktop/jsfunfuzz-mozilla-central-b2l2qC-ca630290d89d-104419/js-dbg-32-mozilla-central-linux)
==30769==  Uninitialised value was created by a stack allocation
==30769==    at 0x4DD370F: ???
==30769== 
==30769==
Attached file vgdb output (in gdb) 
dvander has kindly taken a look at this - it was mentioned that it might be a Valgrind issue.

If one looks at the bottom of the log, Valgrind seems to be saying that whatever is inside frameAddr is uninitialized, but this seems not to be the case. The js code looks correct, so it might be something to do with Valgrind.

Using Valgrind r12961 on Ubuntu Linux 12.04.

32-bit shell configuration command is:

CC="gcc -m32" CXX="g++ -m32" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh js/src/configure --target=i686-pc-linux --disable-optimize --enable-debug --enable-methodjit --enable-type-inference --enable-more-deterministic --disable-tests --enable-valgrind --with-ccache
I ran:  valgrind --smc-check=all-non-file ./js -m -n -a testcase.js  to reproduce.
I can't see the test case -- is it attached?
I've forwarded a mail containing the testcase.
So regardless of whatever seems to be at fault here, this will go away when the new upcoming baseline JIT compiler is completed and together with IonMonkey, replaces JaegerMonkey.
Whiteboard: [js:t]
JaegerMonkey has been removed in bug 857845 -> WONTFIX
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: