844469 - BaselineCompiler: Opt-only Crash [@ js::ion::IonActivationIterator::ionStackRange]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on baseline compiler branch revision b7e4d01b541e (run with ):


gczeal(2,50);
test();
function test() {
  function gen_test(test_index) {
      yield 1;
  }
  var iter2 = gen_test(2);
  for (i in iter2) {
    test();
  }
}

Comment 1

[Christian Holler (:decoder)]

Crash trace:


Program received signal SIGSEGV, Segmentation fault.
0x000000000074330d in js::ion::IonActivationIterator::ionStackRange (this=<optimized out>, min=@0x7fffffefe760: 0x7ffff7fa7bb8, end=@0x7fffffefe768: 0xc002f8) at /srv/repos/ionmonkey/js/src/ion/IonFrames.cpp:708
708             min = reinterpret_cast<uintptr_t *>(footer->outVp());
(gdb) bt
#0  0x000000000074330d in js::ion::IonActivationIterator::ionStackRange (this=<optimized out>, min=@0x7fffffefe760: 0x7ffff7fa7bb8, end=@0x7fffffefe768: 0xc002f8) at /srv/repos/ionmonkey/js/src/ion/IonFrames.cpp:708
#1  0x0000000000609bee in MarkRangeConservativelyAndSkipIon (end=0x7ffffffff000, begin=<optimized out>, rt=0x7ffff7fa7010, trc=0x7ffff7fa7210) at /srv/repos/ionmonkey/js/src/gc/RootMarking.cpp:277
#2  MarkConservativeStackRoots (trc=0x7ffff7fa7210, useSavedRoots=<optimized out>) at /srv/repos/ionmonkey/js/src/gc/RootMarking.cpp:327
#3  0x000000000060a673 in js::gc::MarkRuntime (trc=0x7ffff7fa7210, useSavedRoots=<optimized out>) at /srv/repos/ionmonkey/js/src/gc/RootMarking.cpp:704
#4  0x000000000048ab88 in BeginMarkPhase (rt=0x7ffff7fa7010) at /srv/repos/ionmonkey/js/src/jsgc.cpp:2782
#5  IncrementalCollectSlice (rt=0x7ffff7fa7010, budget=<optimized out>, reason=JS::gcreason::DEBUG_GC, gckind=js::GC_NORMAL) at /srv/repos/ionmonkey/js/src/jsgc.cpp:4184
#6  0x000000000048cc64 in GCCycle (rt=0x7ffff7fa7010, incremental=<optimized out>, budget=<optimized out>, gckind=js::GC_NORMAL, reason=JS::gcreason::DEBUG_GC) at /srv/repos/ionmonkey/js/src/jsgc.cpp:4362
#7  0x000000000048d0a2 in Collect (rt=0x7ffff7fa7010, incremental=false, budget=0, gckind=js::GC_NORMAL, reason=JS::gcreason::DEBUG_GC) at /srv/repos/ionmonkey/js/src/jsgc.cpp:4490
#8  0x0000000000526261 in NewGCThing<JSString, (js::AllowGC)1> (thingSize=32, kind=js::gc::FINALIZE_STRING, cx=0xba8ca0, heap=<optimized out>) at ../jsgcinlines.h:506
#9  js_NewGCString<(js::AllowGC)1> (cx=0xba8ca0) at ../jsgcinlines.h:578
#10 new_<(js::AllowGC)1> (length=6, chars=0xbf20b0, cx=0xba8ca0) at ../vm/String-inl.h:308
#11 js_NewString<(js::AllowGC)1> (cx=0xba8ca0, chars=0xbf20b0, length=6) at /srv/repos/ionmonkey/js/src/jsstr.cpp:3497
#12 0x0000000000426e76 in JS_NewStringCopyZ (cx=0xba8ca0, s=<optimized out>) at /srv/repos/ionmonkey/js/src/jsapi.cpp:5871
#13 0x000000000047871d in js_ErrorToException (cx=0xba8ca0, message=<optimized out>, reportp=0x7fffffefec20, callback=<optimized out>, userRef=<optimized out>) at /srv/repos/ionmonkey/js/src/jsexn.cpp:973
#14 0x000000000044df54 in ReportError (cx=0xba8ca0, message=0xbcae00 "too much recursion", reportp=0x7fffffefec20, callback=0x44b7c0 <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0)
    at /srv/repos/ionmonkey/js/src/jscntxt.cpp:475
#15 0x0000000000450248 in js_ReportErrorNumberVA (cx=0xba8ca0, flags=0, callback=0x44b7c0 <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0, errorNumber=26, argumentsType=js::ArgumentsAreASCII, ap=
    0x7fffffefece8) at /srv/repos/ionmonkey/js/src/jscntxt.cpp:942
#16 0x0000000000427ade in JS_ReportErrorNumberVA (cx=<optimized out>, errorCallback=<optimized out>, userRef=<optimized out>, errorNumber=<optimized out>, ap=<optimized out>)
    at /srv/repos/ionmonkey/js/src/jsapi.cpp:6483
#17 0x0000000000427b6d in JS_ReportErrorNumber (cx=<optimized out>, errorCallback=<optimized out>, userRef=<optimized out>, errorNumber=<optimized out>) at /srv/repos/ionmonkey/js/src/jsapi.cpp:6472
#18 0x00000000004b93d2 in js::RunScript (cx=0xba8ca0, fp=0x7ffff67091e0) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:278
#19 0x00000000004c0b66 in SendToGenerator (cx=0xba8ca0, op=JSGENOP_CLOSE, gen=0xd12f80, arg=..., obj=...) at /srv/repos/ionmonkey/js/src/jsiter.cpp:1569
#20 0x00000000004c605c in CloseGenerator (obj=..., cx=<optimized out>) at /srv/repos/ionmonkey/js/src/jsiter.cpp:1615
#21 js::CloseIterator (cx=<optimized out>, obj=...) at /srv/repos/ionmonkey/js/src/jsiter.cpp:1030
#22 0x00000000004c60e7 in js::UnwindIteratorForException (cx=<optimized out>, obj=...) at /srv/repos/ionmonkey/js/src/jsiter.cpp:1041
#23 0x000000000074587c in HandleException (calledDebugEpilogue=<synthetic pointer>, rfe=0x7fffffeff390, frame=..., cx=0xba8ca0) at /srv/repos/ionmonkey/js/src/ion/IonFrames.cpp:412
#24 js::ion::HandleException (rfe=0x7fffffeff390) at /srv/repos/ionmonkey/js/src/ion/IonFrames.cpp:474
#25 0x00007ffff7fee3c6 in ?? ()
#26 0x0000000000000000 in ?? ()
(gdb) x /i $pc
=> 0x74330d <js::ion::IonActivationIterator::ionStackRange(unsigned long*&, unsigned long*&)+61>:       cmpl   $0x5,0x18(%rcx)
(gdb) info reg rcx
rcx            0x7fff00000000   140733193388032

Comment 2

[Jan de Mooij [:jandem]]

Attachment: Patch

MarkIonExitFrame should ignore the exit frames created by EnsureExitFrame (instead of treating it as a real exit frame and crash). I think this is only a problem on the IM branch and can't happen on m-c.

Comment 3

[Kannan Vijayan [:djvj]]

Comment on attachment 718436 [details] [diff] [review]
Patch

Review of attachment 718436 [details] [diff] [review]:
-----------------------------------------------------------------

Why are you saying this cannot happen on m-i?

Comment 4

[Jan de Mooij [:jandem]]

https://hg.mozilla.org/projects/ionmonkey/rev/19394d51f4c3

(In reply to Kannan Vijayan [:djvj] from comment #3)
> Why are you saying this cannot happen on m-i?

After a bailout, Ion creates an exit frame (the enterExitFrame() call in generateBailoutTail), so the GC will see a valid IonExitFooterFrame.