Closed Bug 805421 Opened 12 years ago Closed 12 years ago

crash in js::ion::Cannon

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla20
Tracking Flags:
Tracking Status
firefox19 --- affected

People

(Reporter: martijn.martijn, Assigned: mjrosenb)

References

Details

(Keywords: crash, Whiteboard: [native-crash])

Crash Data

Attachments

(1 file)

/home/mrosenberg/patches/moreFlushes-r0.patch
3.37 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-0aebea27-d8ea-4bf2-a56c-d6fee2121025 .
============================================================= 
0 		@0x5cdab000 	
1 	libxul.so 	js::ion::Cannon 	Ion.cpp:1370
2 	libxul.so 	js::RunScript 	jsinterp.cpp:301
3 	libxul.so 	js::InvokeGetterOrSetter 	jsinterp.cpp:379
4 	libxul.so 	js::GetPropertyHelper 	jsscopeinlines.h:295
5 	libxul.so 	js::ion::GetPropertyCache 	IonCaches.cpp:764
6 		@0x5c81a652
This happens for in current trunk build on the Samsung Galaxy Nexus, just by loading http://people.mozilla.org/~mwargers/tests/layout/Morphing%20Clock.htm
URL: http://people.mozilla.org/~mwargers/t...
Keywords: testcase
Hardware: All → ARM
Whiteboard: [native-crash]
Version: unspecified → Trunk
Seems to be wfm in current trunk build.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ js::ion::Cannon(JSContext*, js::StackFrame*)] → [@ js::ion::Cannon(JSContext*, js::StackFrame*)] [@ @0x0 | js::ion::Cannon(JSContext*, js::StackFrame*)]
just looking at the backtrace, and the address that we crash at, I think I know what is wrong here.  Patch should be coming soon.
I discovered two more ways that we can execute code without going through a flusher.  This fixes both of them.  It is pretty simple, since the number of transitions from interpreter -> Ion is small

I should also apply a similar fix in the code that transitions to JM, since we can have the exact same issue on an Interp -> JM -> ion sequence
Attachment #685547 - Flags: review?(dvander)
Comment on attachment 685547 [details] [diff] [review]
/home/mrosenberg/patches/moreFlushes-r0.patch

Review of attachment 685547 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/Ion.cpp
@@ +1450,5 @@
>          JSAutoResolveFlags rf(cx, RESOLVE_INFER);
> +        AutoFlushCache *afc = cx->compartment->ionCompartment()->flusher();
> +        cx->compartment->ionCompartment()->setFlusher(NULL);
> +        if (afc)
> +            afc->flushAnyway();

Do you also need this pattern around EnterMethodJIT, which can enter Ion code? Or is it only EnterIon?

(If it's needed at both places, I'd recommend folding this logic into an AutoForceFlushCache object.)
Attachment #685547 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/99c2b45b6668
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Assignee: general → mrosenberg
Blocks: 821625, 812501
Crash Signature: [@ js::ion::Cannon(JSContext*, js::StackFrame*)] [@ @0x0 | js::ion::Cannon(JSContext*, js::StackFrame*)] → [@ js::ion::Cannon(JSContext*, js::StackFrame*)] [@ @0x0 | js::ion::Cannon(JSContext*, js::StackFrame*)] [@ js::ion::Cannon] [@ @0x0 | js::ion::Cannon]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: