Closed Bug 813387 Opened 12 years ago Closed 6 years ago

IonMonkey: Crash [@ js::GetNextPc] or Opt-Crash [@ js::ion::InvalidationBailout]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox61 - wontfix
firefox62 - wontfix
firefox63 - wontfix

People

(Reporter: decoder, Unassigned, NeedInfo)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,reconfirm,ignore])

Crash Data

The following testcase crashes on mozilla-central revision 4fddb9923ef0 (run with --ion-eager):


function TestCase(n, d, e, a) {
  this.bugnumber = typeof(foo);
  dump('reason: ' + toPrinted(this.reason));
}
function reportCompare (expected, actual, description) {
  var expected_t = typeof expected;
  var testcase = new TestCase("unknown-test-name", description, expected, actual);
}
var lfcode = new Array();
lfcode.push("3");
lfcode.push("\
var BUGNUMBER = 385393;\
var Ru;\
var actual = 'No Crash';\
var expect = 'No Crash';\
test();\
function test() {\
  try   {\
    test();\
  }  catch(ex)  {  }\
  reportCompare('', '', '');\
}\
");
while (true) {
	var file = lfcode.shift(); if (file == undefined) { break; }
        loadFile(file)
}
function loadFile(lfVarx) {
        if (lfVarx.substr(-3) != ".js" && lfVarx.length > 1) {
            switch (lfRunTypeId) {
                case 3: function newFunc(x) { new Function(x)(); }; newFunc(lfVarx); break;
            }
        } else if (!isNaN(lfVarx)) {
            lfRunTypeId = parseInt(lfVarx);
    }
}
Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000087e366 in js::GetNextPc (pc=0x0) at ../jsopcode.h:651
651         return pc + js_CodeSpec[JSOp(*pc)].length;
(gdb) bt
#0  0x000000000087e366 in js::GetNextPc (pc=0x0) at ../jsopcode.h:651
#1  0x000000000088065c in js::ion::InvalidationBailout (sp=0x7fffffffbcc8, frameSizeOut=0x7fffffffbcc0) at /srv/repos/mozilla-central/js/src/ion/Bailouts.cpp:439
#2  0x00007ffff7fe8578 in ?? ()
#3  0x00007ffff600f280 in ?? ()
Blocks: IonFuzz
Crash Signature: [@ js::GetNextPc] or Opt-Crash [@ js::ion::InvalidationBailout] → [@ js::GetNextPc] [@ js::ion::InvalidationBailout]
Summary: Crash [@ js::GetNextPc] or Opt-Crash [@ js::ion::InvalidationBailout] → IonMonkey: Crash [@ js::GetNextPc] or Opt-Crash [@ js::ion::InvalidationBailout]
Whiteboard: [jsbugmon:update,bisect]
Crash Signature: [@ js::GetNextPc] [@ js::ion::InvalidationBailout] → [@ js::GetNextPc] [@ js::ion::InvalidationBailout]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   106741:6cd206b37176
parent:      106740:b63bb39ed1c0
parent:      103644:a0240c1043ee
user:        David Anderson
date:        Wed Aug 29 17:51:24 2012 -0700
summary:     Merge from mozilla-central.

Not all ancestors of this changeset have been checked.
Use bisect --extend to continue the bisection from
the common ancestor, 88e47f6905e9.

This iteration took 109.601 seconds to run.

Oops! We didn't test rev a0240c1043ee, a parent of the blamed revision! Let's do that now.
We did not test rev a0240c1043ee because it is not a descendant of either 4ceb3e9961e4 or 4fddb9923ef0.
Rev a0240c1043ee: Updating... Compiling... Testing... ['--timeout=10']
1
[Uninteresting] It didn't crash. (0.052 seconds)
good (not interesting) 
As expected, the parent's label is the opposite of the blamed rev's label.
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unknown exception (check manually)
Crash Signature: [@ js::GetNextPc] [@ js::ion::InvalidationBailout] → [@ js::GetNextPc] [@ js::ion::InvalidationBailout]
Whiteboard: [jsbugmon:] → [jsbugmon:update,reconfirm]
Crash Signature: [@ js::GetNextPc] [@ js::ion::InvalidationBailout] → [@ js::GetNextPc] [@ js::ion::InvalidationBailout]
Whiteboard: [jsbugmon:update,reconfirm] → [jsbugmon:update,reconfirm,ignore]
JSBugMon: This bug has been automatically confirmed to be still valid (reproduced on revision 524e7bc67431).
Assignee: general → nobody
[Tracking Requested - why for this release]:

Firefox61 and 63 won't fix, finding a patch for 62...
status-firefox61: --- → wontfix
status-firefox62: --- → fix-optional
status-firefox63: --- → wontfix
tracking-firefox61: --- → ?
tracking-firefox62: --- → ?
tracking-firefox63: --- → ?
tracking-thunderbird_esr52: --- → ?
tracking-thunderbird_esr60: --- → ?
Flags: needinfo?(frozcontactpro)
Extremely low volume crash. Not tracking for any releases.
Crash Signature: [@ js::GetNextPc] [@ js::ion::InvalidationBailout] → [@ js::GetNextPc] [@ js::ion::InvalidationBailout]
status-firefox62: fix-optionalwontfix
tracking-firefox61: ?-
tracking-firefox62: ?-
tracking-firefox63: ?-
tracking-thunderbird_esr52: ? → ---
tracking-thunderbird_esr60: ? → ---
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Reopening because crash bugs **with testcases** should not be resolved **as WONTFIX** based on queries of crash-stats.  Other resolutions may be appropriate for other reasons.

(Crash signatures are not the same as bug identity; they're merely a search aid to find and group similar crashes.  The bug may still be present, but the signature may have changed slightly, or the bug may even still be present with the same signature but there are simply no recent reports of crashes in that function.)
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
The testcase in comment #1 no longer replicates. The code in which the failure occurred was part of Ion-to-baseline bailout handling, which was removed in bug 868431. Here's the diff: https://searchfox.org/mozilla-central/diff/52fb6ed8f1775f37c2d28569385b762197de587d/js/src/ion/Bailouts.cpp#133

Nothing left to do here. Resolving as fixed.
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.