Closed Bug 847446 Opened 12 years ago Closed 12 years ago

BaselineCompiler: Crash [@ js::ion::IonActivationIterator::ionStackRange]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

Attachments

(1 file)

Patch
5.22 KB, patch
djvj
: review+
Details | Diff | Splinter Review
The following testcase crashes on baseline compiler branch revision a956beaa9efd (run with ): test(); function test() { function gen() { try { try { yield 1; } finally { actual += "Inner finally"; } } finally { } } try { for (var i in gen()) test(); } catch (e) { throw e; } }
Crash trace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000960c8b in js::ion::IonActivationIterator::ionStackRange (this=0x7fffffe02930, min=@0x7fffffe02940: 0xee7f68, end=@0x7fffffe02948: 0xf4ec68) at /srv/repos/ionmonkey/js/src/ion/IonFrames.cpp:710 710 min = reinterpret_cast<uintptr_t *>(footer->outVp()); (gdb) bt #0 0x0000000000960c8b in js::ion::IonActivationIterator::ionStackRange (this=0x7fffffe02930, min=@0x7fffffe02940: 0xee7f68, end=@0x7fffffe02948: 0xf4ec68) at /srv/repos/ionmonkey/js/src/ion/IonFrames.cpp:710 #1 0x0000000000785371 in MarkRangeConservativelyAndSkipIon (end=0x7ffffffff000, begin=<optimized out>, rt=0xee7c90, trc=0xee7f68) at /srv/repos/ionmonkey/js/src/gc/RootMarking.cpp:277 #2 MarkConservativeStackRoots (trc=0xee7f68, useSavedRoots=<optimized out>) at /srv/repos/ionmonkey/js/src/gc/RootMarking.cpp:327 #3 0x0000000000787565 in js::gc::MarkRuntime (trc=0xee7f68, useSavedRoots=false) at /srv/repos/ionmonkey/js/src/gc/RootMarking.cpp:704 #4 0x00000000004eefda in BeginMarkPhase (rt=0xee7c90) at /srv/repos/ionmonkey/js/src/jsgc.cpp:2782 #5 0x00000000004f9fd8 in IncrementalCollectSlice (rt=0xee7c90, budget=<optimized out>, reason=JS::gcreason::TOO_MUCH_MALLOC, gckind=js::GC_NORMAL) at /srv/repos/ionmonkey/js/src/jsgc.cpp:4184 #6 0x00000000004fc32b in GCCycle (rt=0xee7c90, incremental=<optimized out>, budget=0, gckind=js::GC_NORMAL, reason=JS::gcreason::TOO_MUCH_MALLOC) at /srv/repos/ionmonkey/js/src/jsgc.cpp:4362 #7 0x00000000004fc9ec in Collect (rt=0xee7c90, incremental=true, budget=0, gckind=js::GC_NORMAL, reason=JS::gcreason::TOO_MUCH_MALLOC) at /srv/repos/ionmonkey/js/src/jsgc.cpp:4490 #8 0x000000000048966f in js_InvokeOperationCallback (cx=0xf086c0) at /srv/repos/ionmonkey/js/src/jscntxt.cpp:1137 #9 0x00000000004896dd in js_HandleExecutionInterrupt (cx=<optimized out>) at /srv/repos/ionmonkey/js/src/jscntxt.cpp:1161 #10 0x0000000000542b86 in js::Interpret (cx=0xf086c0, entryFrame=0x7ffff67094d0, interpMode=js::JSINTERP_NORMAL, useNewType=<optimized out>) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:3111 #11 0x000000000054fe53 in js::RunScript (cx=0xf086c0, fp=0x7ffff67094d0) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:358 #12 0x00000000005559f7 in SendToGenerator (cx=0xf086c0, op=JSGENOP_CLOSE, gen=0x1219ac0, arg=..., obj=...) at /srv/repos/ionmonkey/js/src/jsiter.cpp:1569 #13 0x0000000000556c2b in CloseGenerator (obj=..., cx=0xf086c0) at /srv/repos/ionmonkey/js/src/jsiter.cpp:1615 #14 js::CloseIterator (cx=0xf086c0, obj=...) at /srv/repos/ionmonkey/js/src/jsiter.cpp:1030 #15 0x0000000000556d1a in js::UnwindIteratorForException (cx=0xf086c0, obj=...) at /srv/repos/ionmonkey/js/src/jsiter.cpp:1041 #16 0x00000000009646c7 in HandleException (calledDebugEpilogue=<synthetic pointer>, rfe=0x7fffffe043e0, frame=..., cx=0xf086c0) at /srv/repos/ionmonkey/js/src/ion/IonFrames.cpp:412 #17 js::ion::HandleException (rfe=0x7fffffe043e0) at /srv/repos/ionmonkey/js/src/ion/IonFrames.cpp:474 #18 0x00007ffff7f93354 in ?? () #19 0x00007ffff652f060 in ?? () #20 0x00007fffffe043e0 in ?? () #21 0x00007fffffe04550 in ?? () #22 0x00007fffffe044f0 in ?? () #23 0x0000000000000000 in ?? () (gdb) x /i $pc => 0x960c8b <js::ion::IonActivationIterator::ionStackRange(unsigned long*&, unsigned long*&)+59>: cmpl $0x5,0x18(%rcx) (gdb) info reg rcx rcx 0x2 2
Attached patch PatchSplinter Review
EnsureExitFrame creates "fake" exit frames and it's invalid to use IonFrameIterator::exitFrame() for these frames. The patch fixes the crash and adds an assert to guard against this. This should also fix the root analysis orange.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #728921 - Flags: review?(kvijayan)
Comment on attachment 728921 [details] [diff] [review] Patch Review of attachment 728921 [details] [diff] [review]: ----------------------------------------------------------------- I was under the impression that there was still a rooting analysis issue with |MarkActiveBaselineScripts| using InlineFrameIterator which uses rooted thingies inside a NoGC context. ::: js/src/ion/IonFrames.cpp @@ +207,1 @@ > JS_ASSERT(type_ == IonFrame_Exit || type_ == IonFrame_BaselineJS); Nit: This ASSERT can be removed since isFakeExitFrame already does it.
Attachment #728921 - Flags: review?(kvijayan) → review+
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 9b49708949da).
https://hg.mozilla.org/projects/ionmonkey/rev/9b49708949da
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: