Last Comment Bug 878495 - Crash [@ js_DisassembleAtPC] with "use asm"
: Crash [@ js_DisassembleAtPC] with "use asm"
Status: RESOLVED FIXED
[jsbugmon:update]
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- critical (vote)
: mozilla24
Assigned To: Benjamin Bouvier [:bbouvier]
: general
Mentors:
Depends on: 1237403
Blocks: jsfunfuzz odinfuzz 851421
  Show dependency treegraph
 
Reported: 2013-06-01 14:11 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2016-01-06 13:21 PST (History)
7 users (show)
ryanvm: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stack (6.15 KB, text/plain)
2013-06-01 14:11 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
proposed fix + test case (1.39 KB, patch)
2013-06-06 13:42 PDT, Benjamin Bouvier [:bbouvier]
luke: review+
Details | Diff | Review
print "native code" instead of nothing, as discussed (1.46 KB, patch)
2013-06-06 17:59 PDT, Benjamin Bouvier [:bbouvier]
luke: review+
Details | Diff | Review
patch + test case that runs even in opt builds (1.56 KB, patch)
2013-06-07 11:01 PDT, Benjamin Bouvier [:bbouvier]
luke: review+
Details | Diff | Review

Description Gary Kwong [:gkw] [:nth10sd] 2013-06-01 14:11:04 PDT
Created attachment 757035 [details]
stack

disassemble("-r", (function() {
    (function() {
        "use asm"
        return {}
    })()
}))

crashes js debug shell on m-c changeset 18fc62fd8dcc without any CLI arguments at js_DisassembleAtPC
Comment 1 Jesse Ruderman 2013-06-01 14:27:14 PDT
Regression from bug 851421?
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2013-06-01 15:00:04 PDT
Yep.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/30b977b2b911
user:        Nicholas Nethercote
date:        Thu Mar 14 18:44:03 2013 -0700
summary:     Bug 851421 (part 2) - Don't emit bytecode for asm.js functions unless linking fails.  r=luke.
Comment 3 Benjamin Bouvier [:bbouvier] 2013-06-06 13:42:27 PDT
Created attachment 759390 [details] [diff] [review]
proposed fix + test case

The script is set to NULL if the function is native; in this case, there is no need to recursively apply the function.
Comment 4 Luke Wagner [:luke] 2013-06-06 14:11:03 PDT
Comment on attachment 759390 [details] [diff] [review]
proposed fix + test case

Thanks!  Do you suppose you could change this so that, in the !script case, we Sprint something like "[native code]"?
Comment 5 Benjamin Bouvier [:bbouvier] 2013-06-06 15:04:09 PDT
The current behaviour of dis() and disassemble() is to throw an error if there is no script: "typein:2:0 Error: only works on scripts".
So this is doable, but this would change dis / disassemble (and similar functions) behaviours.
Comment 6 Benjamin Bouvier [:bbouvier] 2013-06-06 17:59:31 PDT
Created attachment 759525 [details] [diff] [review]
print "native code" instead of nothing, as discussed
Comment 7 Luke Wagner [:luke] 2013-06-06 18:03:07 PDT
Comment on attachment 759525 [details] [diff] [review]
print "native code" instead of nothing, as discussed

Thanks!
Comment 8 Ryan VanderMeulen [:RyanVM] 2013-06-07 05:25:04 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/d6db31e46b02
Comment 9 Ryan VanderMeulen [:RyanVM] 2013-06-07 08:17:32 PDT
Backed out for test failures (see the comments in bug 878435).
https://hg.mozilla.org/integration/mozilla-inbound/rev/a15f36c774a8
Comment 10 Luke Wagner [:luke] 2013-06-07 08:17:54 PDT
Ugh, I should have caught this; some shell functions are only available in debug builds (like dis and disassemble).  Try "if (disassemble)" (but double check me that this fixes the problem ;)
Comment 11 Benjamin Bouvier [:bbouvier] 2013-06-07 11:01:58 PDT
Created attachment 759831 [details] [diff] [review]
patch + test case that runs even in opt builds

if (disassemble) was not enough as "disassemble" was not defined. This test case passes in debug and opt builds and does what we expect. One can check by printing the result of disassemble: in debug mode, it will print the disassembled bytecode; in opt mode it won't print anything.
Comment 12 Luke Wagner [:luke] 2013-06-07 11:55:48 PDT
Comment on attachment 759831 [details] [diff] [review]
patch + test case that runs even in opt builds

Thanks!
Comment 13 Ryan VanderMeulen [:RyanVM] 2013-06-07 12:24:13 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/5860d85b0006
Comment 14 Ed Morley [:emorley] 2013-06-10 02:15:03 PDT
https://hg.mozilla.org/mozilla-central/rev/5860d85b0006

Note You need to log in before you can comment on or make changes to this bug.