Closed Bug 943723 Opened 11 years ago Closed 11 years ago

Nightly hangs with this test case (typed objects)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
28 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28
Tracking Flags:
Tracking Status
firefox27 - unaffected
firefox28 + fixed

People

(Reporter: jaswanth.sreeram, Assigned: nmatsakis)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file)

testcase.html
2.48 KB, text/html
Details
Attached file testcase.html
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36 Steps to reproduce: Open attached file in Nightly (Windows 7, 64-bit) Actual results: Nightly hangs. Expected results: Should display "Hello World" on the page and "Finish" in the console.
User agent is incorrect above. Should be: User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
The program contained within the attachment is: // Type: 3D array of size 100 x 100 x 4, each element is uint8Clamped var ElementTypeClamped = new TypedObject.ArrayType(TypedObject.uint8Clamped, 4); var RowTypeClamped = new TypedObject.ArrayType(ElementTypeClamped, 100); var MatrixTypeClamped = new TypedObject.ArrayType(RowTypeClamped, 100); // Type: 3D array of size 100 x 100 x 4, each element is uint8 var ElementType = new TypedObject.ArrayType(TypedObject.uint8, 4); var RowType = new TypedObject.ArrayType(ElementType, 100); var MatrixType = new TypedObject.ArrayType(RowType, 100); // Create and initialize a matrix. Each element will be set equal to the vector v of size 1 x 4 // VarType is either MatrixType or MatrixTypeClamped var createMat = function(VarType, v) { var newMat = new VarType(); for (var r = 0; r < 100; r++) for (var c = 0; c < 100; c++) for (var d = 0; d < 4; d++) newMat[r][c][d] = v[d]; return newMat; }; var matA, matB, matC, matD, matE, matF, matG, matH, matI, matX, matY, matZ; matA = createMat(MatrixTypeClamped, [1, 2, 3, 4]); matB = createMat(MatrixTypeClamped, [0, 0, 0, 1]); matC = createMat(MatrixTypeClamped, [5, 2, 3, 2]); matD = createMat(MatrixTypeClamped, [5, 3, 6, 1]); matE = createMat(MatrixTypeClamped, [2, 2, 2, 2]); /* // Uncomment this if you have not encounter hang-up problem */ matF = createMat(MatrixTypeClamped, [2, 2, 3, 2]); matG = createMat(MatrixTypeClamped, [2, 2, 3, 2]); matH = createMat(MatrixTypeClamped, [2, 2, 3, 2]); matX = createMat(MatrixTypeClamped, [1, 0, 1, 0]); matY = createMat(MatrixTypeClamped, [0, 0, 2, 0]); matZ = createMat(MatrixTypeClamped, [1, 2, 5, 10]); // This causes the hang-up problem. // Note: matI is of different type as all the above variables matI = createMat(MatrixType, [1, 2, 3, 5]); /* // If replacing the above matI instruction by the following line, no hang-up problem. Why? matI = createMat(MatrixTypeClamped, [1, 2, 3, 4]) */ console.log('Finish');
Confirmed. Last good nightly: 2013-11-08 First bad nightly: 2013-11-09 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f003c386c77a&tochange=9e571ad29946
Status: UNCONFIRMED → NEW
Component: General → JavaScript Engine
Ever confirmed: true
Given the pushlog, presumably a regression from bug 933269?
Blocks: 933269
tracking-firefox28: --- → ?
i'll try to look soon, hopefully today.
This is likely caused by the incorrect binary search in TypeRepresentationSet.cpp. If so, the fix is a one-line change: diff --git a/js/src/jit/TypeRepresentationSet.cpp b/js/src/jit/TypeRepresentationSet.cpp index 91d251e..5f6207a 100644 --- a/js/src/jit/TypeRepresentationSet.cpp +++ b/js/src/jit/TypeRepresentationSet.cpp @@ -82,7 +82,7 @@ TypeRepresentationSetBuilder::insert(TypeRepresentation *typeRepr) if (entryiaddr < typeReprAddr) { // typeRepr lies to the right of entry i - min = i + 1; + min = i; } else { // typeRepr lies to the left of entry i max = i; this fix is included in the patch for bug 922115 but is really independent of that bug.
Actually, that patch is reversed, sorry. You get the idea, anyway :)
I was briefly worried that the while test needed to be changed from `while (min != max)` to `while (min < max)`, ... ... but since we have the invariant `i < max`, the loop invariant `min <= max` should still hold even with this change, and thus `while (min != max)` should still suffice.
Pushed the one-line fix to inbound (using Niko as author and me as reviewer): https://hg.mozilla.org/integration/mozilla-inbound/rev/94759f93f65e
We should make better tests for this part of the code. Filed Bug 946187 for that.
Assignee: nobody → nmatsakis
https://hg.mozilla.org/mozilla-central/rev/94759f93f65e
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox28: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Flags: in-testsuite?
Flags: in-qa-testsuite?
Flags: in-qa-testsuite?
Keywords: verifyme
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 Reproduced with Nightly from 2013-11-28. With the attached testcase, the latest Aurora (Build ID: 20140121004017) doesn't hang, but I didn't get the same expected results as in comment 0: "ReferenceError: TypedObject is not defined" is displayed in the console, not "Finish". Any thoughts?
Flags: needinfo?(nmatsakis)
This can't be tested on Aurora, because TypedObject is currently Nightly-only. It will be enabled on Aurora and beyond once the spec and our implementation have stabilized enough.
Flags: needinfo?(nmatsakis)
(In reply to Till Schneidereit [:till] from comment #13) > This can't be tested on Aurora, because TypedObject is currently > Nightly-only. It will be enabled on Aurora and beyond once the spec and our > implementation have stabilized enough. In that case setting this as [qa-]. Please renominate for testing once TypeObject is on Aurora.
Keywords: verifyme
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: