Closed
Bug 789342
Opened 13 years ago
Closed 12 years ago
Conditional jump or move depends on uninitialised value(s) [@ js::mjit::CallsiteMatches]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: gkw, Unassigned)
Details
(Keywords: testcase, valgrind, Whiteboard: [js:t])
Attachments
(1 file)
|
13.08 KB,
text/plain
|
Details |
The upcoming attached testcase shows the following error on 32-bit js debug and opt shell on m-c changeset ca630290d89d :
==30769== Conditional jump or move depends on uninitialised value(s)
==30769== at 0x845F2C4: js::mjit::CallsiteMatches(unsigned char*, js::mjit::CallSite const&, void*) (Retcon.cpp:43)
==30769== by 0x845FAC0: js::mjit::Recompiler::expandInlineFrames(JSCompartment*, js::StackFrame*, js::mjit::CallSite*, js::StackFrame*, js::VMFrame*) (Retcon.cpp:261)
==30769== by 0x845FCFD: js::mjit::ExpandInlineFrames(JSCompartment*) (Retcon.cpp:315)
==30769== by 0x813BDAF: js::types::TypeCompartment::processPendingRecompiles(js::FreeOp*) (jsinfer.cpp:2194)
==30769== by 0x80A66C2: js::types::AutoEnterTypeInference::~AutoEnterTypeInference() (jsinferinlines.h:266)
==30769== by 0x81459CC: js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&) (jsinfer.cpp:5159)
==30769== by 0x815D4D4: js::types::TypeScript::Monitor(JSContext*, JSScript*, unsigned char*, JS::Value const&) (jsinferinlines.h:738)
==30769== by 0x843E0A8: js::mjit::CallCompiler::generateNativeStub() (MonoIC.cpp:777)
==30769== by 0x843F033: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1007)
==30769== by 0x6B48A69: ???
==30769== by 0x8685FF3: ??? (in /home/fuzz2lin/Desktop/jsfunfuzz-mozilla-central-b2l2qC-ca630290d89d-104419/js-dbg-32-mozilla-central-linux)
==30769== Uninitialised value was created by a stack allocation
==30769== at 0x4DD370F: ???
==30769==
==30769==
|
Reporter | |
Comment 2•13 years ago
|
||
dvander has kindly taken a look at this - it was mentioned that it might be a Valgrind issue.
If one looks at the bottom of the log, Valgrind seems to be saying that whatever is inside frameAddr is uninitialized, but this seems not to be the case. The js code looks correct, so it might be something to do with Valgrind.
Using Valgrind r12961 on Ubuntu Linux 12.04.
32-bit shell configuration command is:
CC="gcc -m32" CXX="g++ -m32" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh js/src/configure --target=i686-pc-linux --disable-optimize --enable-debug --enable-methodjit --enable-type-inference --enable-more-deterministic --disable-tests --enable-valgrind --with-ccache
|
|
Reporter | |
Comment 3•13 years ago
|
||
I ran: valgrind --smc-check=all-non-file ./js -m -n -a testcase.js to reproduce.
|
||
Comment 4•13 years ago
|
||
I can't see the test case -- is it attached?
|
|
Reporter | |
Comment 5•13 years ago
|
||
I've forwarded a mail containing the testcase.
|
|
Reporter | |
Comment 6•12 years ago
|
||
So regardless of whatever seems to be at fault here, this will go away when the new upcoming baseline JIT compiler is completed and together with IonMonkey, replaces JaegerMonkey.
|
||
Updated•12 years ago
|
Whiteboard: [js:t]
|
|
Reporter | |
Comment 7•12 years ago
|
||
JaegerMonkey has been removed in bug 857845 -> WONTFIX
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•