Closed Bug 945453 Opened 11 years ago Closed 11 years ago

GenerationalGC: Crash [@ js::assertSameCompartment]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla29

People

(Reporter: gkw, Assigned: jonco)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

lldb stack
10.20 KB, text/plain
Details
fix-args-fuzzbug
3.69 KB, patch
terrence
: review+
djvj
: review+
Details | Diff | Splinter Review
Attached file lldb stack
The upcoming testcase crashes js debug shell (tested with a threadsafe deterministic 64-bit debug build) on m-c changeset 2581b84e0ca1 with --ion-eager at js::assertSameCompartment My configure options are: CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-exact-rooting --enable-elf-hack --enable-stdcxx-compat --enable-warnings-as-errors --enable-signmar --disable-elf-hack --enable-js-diagnostics --with-intl-api=build --enable-ctypes --disable-shared-js --enable-jemalloc --enable-gcgenerational --with-ccache --enable-threadsafe
Flags: needinfo?(terrence)
Flags: needinfo?(jcoppeard)
I've successfully reproduced this on MacOS and on linux, but haven't worked out what's wrong yet. It's getting property '0' from an arguments object and it turns out to be a pointer into swept nursery. It looks like arguments objects are traced and barriered properly...
Flags: needinfo?(jcoppeard)
This has been a pain to track down, but I think BaselineCompiler::emitFormalArgAccess() needs a postbarrier when writing to an arguments object.
Attached patch fix-args-fuzzbugSplinter Review
It turns our there are a couple of places in Ion and Baseline where we need to postbarrier writes into arguments objects. These are treated differently to writes to normal JS objects. We also need to make the whole cell store buffer capable of marking arguments objects, which have a custom trace function to deal with their layout. Terrence, I considered using the generic buffer for these and adding a separate path to add them from ion, but this is simpler and I don't think the performance overhead will be significant - does that sound resonable?
Assignee: general → jcoppeard
Status: NEW → ASSIGNED
Attachment #8345257 - Flags: review?(terrence)
Comment on attachment 8345257 [details] [diff] [review] fix-args-fuzzbug Review of attachment 8345257 [details] [diff] [review]: ----------------------------------------------------------------- Good job tracking this down! Missing barriers in jit-code are unbelievably hard to find. I think the approach looks good, but I'm going to punt on the jit bits.
Attachment #8345257 - Flags: review?(terrence)
Attachment #8345257 - Flags: review?(kvijayan)
Attachment #8345257 - Flags: review+
Flags: needinfo?(terrence)
Comment on attachment 8345257 [details] [diff] [review] fix-args-fuzzbug Review of attachment 8345257 [details] [diff] [review]: ----------------------------------------------------------------- r=me with explanations for questions asked. ::: js/src/jit/BaselineCompiler.cpp @@ +2349,5 @@ > + Register reg = R2.scratchReg(); > + masm.loadPtr(Address(BaselineFrameReg, BaselineFrame::reverseOffsetOfArgsObj()), reg); > + > + // Fully sync the stack if post-barrier is needed. > + frame.syncStack(0); It seems clearer to move the frame.syncStack(0) above the loadPtr for the args object. ::: js/src/jit/IonBuilder.cpp @@ +9121,5 @@ > if (info().argsObjAliasesFormals()) { > + if (NeedsPostBarrier(info(), val)) > + current->add(MPostWriteBarrier::New(alloc(), current->argumentsObject(), val)); > + current->add(MSetArgumentsObjectArg::New(alloc(), current->argumentsObject(), > + GET_SLOTNO(pc), val)); It feels weird to me that the MPostWriteBarrier is happening before the actual write. Can this be moved after the MSetArgumentsObjectArg, or does it need to happen before?
Attachment #8345257 - Flags: review?(kvijayan) → review+
(In reply to Kannan Vijayan [:djvj] from comment #6) > It seems clearer to move the frame.syncStack(0) above the loadPtr for the > args object. Agreed, I'll change that. > It feels weird to me that the MPostWriteBarrier is happening before the > actual write. Can this be moved after the MSetArgumentsObjectArg, or does > it need to happen before? I don't think it matters either way, but all the other ones in Ion happen before the write so I did it like that for consistency.
https://hg.mozilla.org/mozilla-central/rev/7201bf07232e
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: