Closed
Bug 925312
Opened 11 years ago
Closed 11 years ago
Threadsafe opt-only Crash [@ ArrayJoinKernel]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla27
Tracking | Status | |
---|---|---|
firefox24 | --- | unaffected |
firefox25 | --- | unaffected |
firefox26 | --- | unaffected |
firefox27 | --- | fixed |
firefox-esr24 | --- | unaffected |
b2g18 | --- | unaffected |
b2g-v1.1hd | --- | unaffected |
b2g-v1.2 | --- | unaffected |
People
(Reporter: decoder, Assigned: jandem)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:][qa-])
Crash Data
Attachments
(2 files, 1 obsolete file)
512 bytes,
text/plain
|
Details | |
987 bytes,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision aa986b6ce882 (threadsafe build, run with --ion-eager): Array(1024).join(Array(476655))
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Crash trace: Program received signal SIGSEGV, Segmentation fault. ArrayJoinKernel<false, StringSeparatorOp> (sb=..., length=1024, obj=(JSObject * const) 0xf6f314a0 [object Array], sepOp=..., cx=0x9079390) at js/src/jsarray.cpp:1049 1049 if (++i != length && !sepOp(cx, sb)) #0 ArrayJoinKernel<false, StringSeparatorOp> (sb=..., length=1024, obj=(JSObject * const) 0xf6f314a0 [object Array], sepOp=..., cx=0x9079390) at js/src/jsarray.cpp:1049 #1 ArrayJoin<false> (args=<synthetic pointer>, cx=0x9079390) at js/src/jsarray.cpp:1124 #2 array_join (vp=0xffffc8a4, argc=1, cx=0x9079390) at js/src/jsarray.cpp:1190 #3 array_join (cx=0x9079390, argc=1, vp=0xffffc8a4) at js/src/jsarray.cpp:1185 #4 0xf729c151 in ?? () #5 0x083210b6 in EnterIon (data=..., cx=0x9079390) at js/src/jit/Ion.cpp:2057 #6 js::jit::Cannon (cx=0x9079390, state=...) at js/src/jit/Ion.cpp:2137 #7 0x08090f2c in js::RunScript (cx=0x9079390, state=...) at js/src/vm/Interpreter.cpp:399 eax 0x0 0 ebx 0x903dff4 151248884 ecx 0x3a2f7 238327 edx 0xa2ffe008 -1560289272 esi 0x9079390 151491472 edi 0xe2fff008 -486543352 ebp 0x1 1 esp 0xffffc760 4294952800 eip 0x818faf8 <array_join(JSContext*, unsigned int, JS::Value*)+920> => 0x818faf8 <array_join(JSContext*, unsigned int, JS::Value*)+920>: mov (%edi,%eax,4),%ebp 0x818fafb <array_join(JSContext*, unsigned int, JS::Value*)+923>: mov %ebp,(%edx,%eax,4) This just crashes in a threadsafe optimized 32 bit build. I tried using a debug (or debug+opt) build and it did not reproduce, neither did it reproduce in a non-threadsafe optimized 32 bit build. In all of these cases I got an "InternalError: allocation size overflow" instead of a crash.
Whiteboard: [jsbugmon:update,bisect]
Assignee | ||
Comment 3•11 years ago
|
||
I can't reproduce this locally but I'm pretty sure this should fix it. We were using a RootedString for the separator instead of a Rooted<JSStableString*> so the conservative scanner could destroy it, thereby invalidating our jschar * pointer. This patch uses a JSStableString and restructures the code a bit so that StringSeparatorOp can use a StableCharPtr instead of jschar *. decoder: would be great if you could verify this fixes the crash :)
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Reporter | ||
Comment 4•11 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Comment 5•11 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #3) > Created attachment 815364 [details] [diff] [review] > Patch > > I can't reproduce this locally but I'm pretty sure this should fix it. We > were using a RootedString for the separator instead of a > Rooted<JSStableString*> so the conservative scanner could destroy it, > thereby invalidating our jschar * pointer. I agree, that's probably what's going on. > This patch uses a JSStableString and restructures the code a bit so that > StringSeparatorOp can use a StableCharPtr instead of jschar *. That's going to force an extra malloc for most string joins. Since this problem is going to go away as soon as we turn on exact rooting, would you be okay with just throwing an Anchor at it?
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Reporter | ||
Comment 6•11 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #3) > > decoder: would be great if you could verify this fixes the crash :) Yep, this fixes the issue :)
Assignee | ||
Comment 7•11 years ago
|
||
Use an Anchor.
Attachment #815364 -
Attachment is obsolete: true
Attachment #815364 -
Flags: review?(terrence)
Attachment #815784 -
Flags: review?(terrence)
Comment 8•11 years ago
|
||
Comment on attachment 815784 [details] [diff] [review] Patch v2 Review of attachment 815784 [details] [diff] [review]: ----------------------------------------------------------------- Thanks! r=me
Attachment #815784 -
Flags: review?(terrence) → review+
Assignee | ||
Comment 9•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/40fbd6880056
Comment 10•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/40fbd6880056 Test?
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-firefox27:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Reporter | ||
Comment 11•11 years ago
|
||
I don't think this can be tested reliably at all.
Flags: in-testsuite? → in-testsuite-
Updated•11 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:][qa-]
Comment 12•11 years ago
|
||
:jandem Do you know if this affects b2g18? The code was refactored in bug 918808 from array_join_sub to ArrayJoin http://mxr.mozilla.org/mozilla-b2g18/source/js/src/jsarray.cpp#1476
status-b2g18:
--- → ?
Assignee | ||
Comment 14•11 years ago
|
||
(In reply to David Chan [:dchan] from comment #12) > :jandem > > Do you know if this affects b2g18? The code was refactored in bug 918808 > from array_join_sub to ArrayJoin No this was a regression from bug 918808 and only affected m-c (Firefox 27).
Flags: needinfo?(jdemooij)
Assignee | ||
Updated•11 years ago
|
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → unaffected
status-firefox24:
--- → unaffected
status-firefox25:
--- → unaffected
status-firefox26:
--- → unaffected
Updated•10 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•