Closed Bug 965728 Opened 6 years ago Closed 6 years ago

With jits disabled, analysis can force compilation

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla30

People

(Reporter: mjrosenb, Assigned: mjrosenb)

Details

Attachments

(1 file)

(gdb) bt 20
#0  js::jit::Assembler::executableCopy (this=0xbeffb078, buffer=0xb64479d8 "")
    at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/jit/arm/Assembler-arm.cpp:592
#1  0x0024bef8 in js::jit::JitCode::copyFrom (this=0xb614b1f0, masm=...) at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/jit/Ion.cpp:622
#2  0x0022e5d8 in js::jit::Linker::newCode<(js::AllowGC)1> (this=0xbeffbcd8, cx=0x799d58, execAlloc=0x838e78, kind=JSC::BASELINE_CODE)
    at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/jit/IonLinker.h:63
#3  0x00216fee in js::jit::Linker::newCode<(js::AllowGC)1> (this=0xbeffbcd8, cx=0x799d58, kind=JSC::BASELINE_CODE)
    at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/jit/IonLinker.h:81
#4  0x001963fc in js::jit::ICStubCompiler::getStubCode (this=0xbeffbd38) at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/jit/BaselineIC.cpp:592
#5  0x001fe5fe in js::jit::ICNewArray_Fallback::Compiler::getStub (this=0xbeffbd38, space=0xbeffcc00)
    at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/jit/BaselineIC.h:1838
#6  0x0018fa98 in js::jit::BaselineCompiler::emit_JSOP_NEWARRAY (this=0xbeffbf38)
    at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/jit/BaselineCompiler.cpp:1543
#7  0x0018d5a8 in js::jit::BaselineCompiler::emitBody (this=0xbeffbf38)
    at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/jit/BaselineCompiler.cpp:810
#8  0x0018a772 in js::jit::BaselineCompiler::compile (this=0xbeffbf38)
    at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/jit/BaselineCompiler.cpp:95
#9  0x001b6c32 in js::jit::BaselineCompile (cx=0x799d58, script=...) at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/jit/BaselineJIT.cpp:236
#10 0x00258894 in js::jit::AnalyzeNewScriptProperties (cx=0x799d58, fun=0xb6151180, type=0xb615bde0, baseobj=..., initializerList=0xbeffd658)
    at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/jit/IonAnalysis.cpp:2169
#11 0x003fa140 in CheckNewScriptProperties (cx=0x799d58, type=0xb615bde0, fun=0xb6151180)
    at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/jsinfer.cpp:3461
#12 0x003fbc08 in js::ExclusiveContext::getNewType (this=0x799d58, clasp=0x7531d8 <JSObject::class_>, proto=..., fun=0xb6151180)
    at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/jsinfer.cpp:4042
#13 0x004563e6 in js::CreateThisForFunctionWithProto (cx=0x799d58, callee=..., proto=0xb612d070, newKind=js::GenericObject)
    at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/jsobj.cpp:1540
#14 0x00456622 in js::CreateThisForFunction (cx=0x799d58, callee=..., newKind=js::GenericObject)
    at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/jsobj.cpp:1570
#15 0x0057a7e4 in js::StackFrame::prologue (this=0x793a60, cx=0x799d58) at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/vm/Stack.cpp:261
#16 0x00522090 in Interpret (cx=0x799d58, state=...) at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/vm/Interpreter.cpp:2671
#17 0x005161dc in js::RunScript (cx=0x799d58, state=...) at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/vm/Interpreter.cpp:421
#18 0x00516e48 in js::ExecuteKernel (cx=0x799d58, script=..., scopeChainArg=..., thisv=..., type=js::EXECUTE_DIRECT_EVAL, evalInFrame=..., result=0x793088)
    at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/vm/Interpreter.cpp:618
#19 0x000996c4 in EvalKernel (cx=0x799d58, args=..., evalType=DIRECT_EVAL, caller=..., scopeobj=..., pc=0x843888 "{")
    at /home/mjrosenb/src/central/central-assemblerbuffer/js/src/builtin/Eval.cpp:329
(More stack frames follow...)
(gdb) show args
Argument list to give program being debugged when it is started is "--no-asmjs --no-baseline --no-ion ./js/game-setup.js".

js::jit::AnalyzeNewScriptProperties seems to be the culprit.
Patch should be coming soon.
Attachment #8367859 - Flags: review?(jdemooij)
Comment on attachment 8367859 [details] [diff] [review]
moreDisableJits-r0.patch

Review of attachment 8367859 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch!

::: js/src/jit/IonAnalysis.cpp
@@ +2153,1 @@
>          return true;

Style nit: multi-line condition so add {} with { on its own line:

if (foo ||
    bar)
{
    return true;
}
Attachment #8367859 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/6245232c114d
Assignee: nobody → mrosenberg
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.