Closed Bug 946234 Opened 11 years ago Closed 11 years ago

Crash [@ js::jit::CodeGeneratorX86Shared::bailout<js::jit::BailoutJump>]

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla28

People

(Reporter: decoder, Assigned: sunfish)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

[crash-signature] Machine-readable crash signature
564 bytes, text/plain
Details
bug946234.patch
1.92 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 9688476c1544 (run with --fuzzing-safe --ion-compile-try-catch --ion-eager --ion-check-range-analysis): function f() { for (var i = 0; i < 8; ++i) { while(true) {} } oa[i % 8]; } f();
Crash trace: Program received signal SIGSEGV, Segmentation fault. js::jit::CodeGeneratorX86Shared::bailout<js::jit::BailoutJump> (this=0x16f42c0, binder=..., snapshot=0x0) at ../jit/shared/CodeGenerator-x86-shared.cpp:413 413 binder(masm, ool->entry()); #0 js::jit::CodeGeneratorX86Shared::bailout<js::jit::BailoutJump> (this=0x16f42c0, binder=..., snapshot=0x0) at ../jit/shared/CodeGenerator-x86-shared.cpp:413 #1 0x000000000071d73f in bailoutIf (snapshot=<optimized out>, condition=js::jit::AssemblerX86Shared::Equal, this=0x16f42c0) at ../jit/shared/CodeGenerator-x86-shared.cpp:420 #2 js::jit::CodeGeneratorX86Shared::visitModPowTwoI (this=0x16f42c0, ins=0x16ee050) at ../jit/shared/CodeGenerator-x86-shared.cpp:1050 #3 0x000000000055dcc7 in js::jit::CodeGenerator::generateBody (this=0x16f42c0) at ../jit/CodeGenerator.cpp:2881 #4 0x000000000056853e in js::jit::CodeGenerator::generate (this=0x16f42c0) at ../jit/CodeGenerator.cpp:5795 #5 0x00000000006868b9 in GenerateCode (maybeMasm=0x0, lir=0x16ecc00, mir=0x16f13c8) at ../jit/Ion.cpp:1475 #6 js::jit::CompileBackEnd (mir=0x16f13c8, maybeMasm=0x0) at ../jit/Ion.cpp:1494 #7 0x00000000006871d1 in js::jit::IonCompile (cx=0x1620ea0, script=0x0, baselineFrame=<optimized out>, osrPc=0x0, constructing=false, executionMode=js::SequentialExecution) at ../jit/Ion.cpp:1710 rcx 0x0 0 rdx 0x0 0 => 0x71b932 <js::jit::CodeGeneratorX86Shared::bailout<js::jit::BailoutJump>(js::jit::BailoutJump const&, js::jit::LSnapshot*)+34>: mov 0x10(%rdx),%rcx
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, failed due to error (try manually).
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/6787bcb8ea7e user: Dan Gohman date: Mon Dec 02 13:41:54 2013 -0800 summary: Bug 944963 - IonMonkey: Add a ModSelf operator to fix an x86 constraint problem with x%x. r=bhackett Dan, is bug 944963 a likely regressor?
Blocks: 944963
Flags: needinfo?(sunfish)
Attached patch bug946234.patchSplinter Review
If MMod::fallible() returns false, Lowering doesn't create a snapshot, so the CodeGenerator has to avoid doing a bailout under the same circumstances.
Assignee: general → sunfish
Attachment #8342981 - Flags: review?(bhackett1024)
Flags: needinfo?(sunfish)
Comment on attachment 8342981 [details] [diff] [review] bug946234.patch Review of attachment 8342981 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/shared/CodeGenerator-x86-shared.cpp @@ +1050,1 @@ > masm.jump(&done); The definition of |done| can be moved to this if statement.
Attachment #8342981 - Flags: review?(bhackett1024) → review+
(In reply to Brian Hackett (:bhackett) from comment #6) > Comment on attachment 8342981 [details] [diff] [review] > bug946234.patch > > Review of attachment 8342981 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: js/src/jit/shared/CodeGenerator-x86-shared.cpp > @@ +1050,1 @@ > > masm.jump(&done); > > The definition of |done| can be moved to this if statement. Done. https://hg.mozilla.org/integration/mozilla-inbound/rev/bfb81cac0108
https://hg.mozilla.org/mozilla-central/rev/bfb81cac0108
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Keywords: verifyme
With Nightly js shell from 12/04 and 12/05 on Ubuntu 13.10 64bit, I get: "Segmentation fault (core dumped)". With FF 28 beta 2 shell, the testcase ran more then an hour without any failure/crash/nothing. Is it expected because of while(true) loop?
Flags: needinfo?(dgohman)
(In reply to Alexandra Lucinet, QA Mentor [:adalucinet] from comment #9) > With Nightly js shell from 12/04 and 12/05 on Ubuntu 13.10 64bit, I get: > "Segmentation fault (core dumped)". > With FF 28 beta 2 shell, the testcase ran more then an hour without any > failure/crash/nothing. > Is it expected because of while(true) loop? Yes.
Flags: needinfo?(dgohman)
Status: RESOLVED → VERIFIED
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: