845046 - OdinMonkey: Crash [@ js::ion::MBasicBlock::inherit] or Opt-Crash [@ copySlots]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on odinmonkey revision 0e9a09e99a15 (run with --ion-eager):


var asm = (function(global, env, buffer) {
  'use asm';
  var STACKTOP=env.STACKTOP|0;
  function stackAlloc(size) {
    size = size|0;
    var i3 = 0, i4 = 0, i26 = 0;
    return STACKTOP|0;
    switch (i4 | 0) {
      case 2:
    }
    return 0;
  }
  return {};
}, buffer);

Comment 1

[Christian Holler (:decoder)]

Debug trace:

Program received signal SIGSEGV, Segmentation fault.
js::ion::MBasicBlock::inherit (this=0xc61e30, pred=0x2, popped=0) at js/src/ion/MIRGraph.cpp:227
227             stackPosition_ = pred->stackPosition_;
(gdb) bt
#0  js::ion::MBasicBlock::inherit (this=0xc61e30, pred=0x2, popped=0) at js/src/ion/MIRGraph.cpp:227
#1  0x0000000000924c4d in js::ion::MBasicBlock::New (graph=..., info=..., pred=0x2, entryPc=0x0, kind=js::ion::MBasicBlock::NORMAL) at js/src/ion/MIRGraph.cpp:112
#2  0x000000000096e5cf in newBlockWithDepth (block=0x7fffffffb2c8, loopDepth=0, pred=<optimized out>, this=0x7fffffffb670) at js/src/ion/AsmJS.cpp:2159
#3  newBlock (block=0x7fffffffb2c8, pred=<optimized out>, this=0x7fffffffb670) at js/src/ion/AsmJS.cpp:2169
#4  FunctionCompiler::startSwitchCase (this=0x7fffffffb670, switchBlock=<optimized out>, next=0x7fffffffb2c8) at js/src/ion/AsmJS.cpp:2106
#5  0x00000000009880a4 in CheckSwitch (f=..., switchStmt=0xc6a720) at js/src/ion/AsmJS.cpp:4148
#6  0x00000000009887e9 in CheckStatement (f=..., stmt=0xc6a720, maybeLabels=0x0) at js/src/ion/AsmJS.cpp:4226
#7  0x000000000098a32b in ensureUnusedApproximate (n=16384, this=0x7fffffffbc78) at ../ds/LifoAlloc.h:263
#8  ensureBallast (this=<optimized out>) at ../ion/IonAllocPolicy.h:70
#9  CheckStatement (maybeLabels=0x0, stmt=0xc6a720, f=...) at js/src/ion/AsmJS.cpp:4216
#10 CheckStatements (f=..., stmtHead=<optimized out>) at js/src/ion/AsmJS.cpp:4197
#11 CheckFunctionBody (m=..., func=...) at js/src/ion/AsmJS.cpp:4323
#12 0x000000000098c3ec in CheckFunctionBodies (m=...) at js/src/ion/AsmJS.cpp:4350
#13 CheckModule (cx=<optimized out>, ts=..., fn=<optimized out>, module=0x7fffffffc550) at js/src/ion/AsmJS.cpp:4797
#14 0x000000000098cce3 in js::CompileAsmJS (cx=0xc4b210, ts=..., fn=0xc69d60, script=...) at js/src/ion/AsmJS.cpp:4828
#15 0x00000000006d5fb1 in EmitFunc (cx=0xc4b210, bce=0x7fffffffcd60, pn=0xc69d60) at js/src/frontend/BytecodeEmitter.cpp:4436
#16 0x00000000006d2f06 in js::frontend::EmitTree (cx=0xc4b210, bce=0x7fffffffcd60, pn=0xc69d60) at js/src/frontend/BytecodeEmitter.cpp:5504
#17 0x00000000006d379e in EmitTree (pn=0xc69d60, bce=0x7fffffffcd60, cx=0xc4b210) at js/src/frontend/BytecodeEmitter.cpp:5490
#18 js::frontend::EmitTree (cx=0xc4b210, bce=0x7fffffffcd60, pn=0xc6aa68) at js/src/frontend/BytecodeEmitter.cpp:5702
#19 0x00000000006db696 in EmitTree (pn=0xc6aa68, bce=0x7fffffffcd60, cx=0xc4b210) at js/src/frontend/BytecodeEmitter.cpp:5490
#20 EmitVariables (cx=0xc4b210, bce=0x7fffffffcd60, pn=<optimized out>, emitOption=InitializeVars, isLet=false) at js/src/frontend/BytecodeEmitter.cpp:3195
#21 0x00000000006d3516 in js::frontend::EmitTree (cx=0xc4b210, bce=0x7fffffffcd60, pn=0xc69ce0) at js/src/frontend/BytecodeEmitter.cpp:5652
#22 0x00000000006c5199 in js::frontend::CompileScript (cx=0xc4b210, scopeChain=(JSObject * const) 0x7ffff4e29060 [object global] delegate, evalCaller=0x0, options=..., [...]
(gdb) x /i $pc
=> 0x923f10 <js::ion::MBasicBlock::inherit(js::ion::MBasicBlock*, unsigned int)+32>:    mov    0x90(%rsi),%edi
(gdb) info reg rsi
rsi            0x2      2

Comment 2

[Luke Wagner [:luke]]

D'oh, thinko with unreachable switch statement:
http://hg.mozilla.org/users/lwagner_mozilla.com/odinmonkey/rev/b03df1589702