Closed
Bug 1218065
Opened 9 years ago
Closed 9 years ago
Crash [@ js::GetSrcNoteOffset] or Assertion failure: current, at jit/IonBuilder.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
Tracking | Status | |
---|---|---|
firefox44 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update][fuzzblocker])
Crash Data
Attachments
(3 files)
{ const b = 0; switch (1) { case b = 0: } } asserts js debug shell on m-c changeset 76bd0c01d72e with --fuzzing-safe --no-threads --ion-eager at Assertion failure: current, at jit/IonBuilder.cpp Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 76bd0c01d72e === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151021005222" and the hash "a286c89173e5352fc8831015d7e286fb513fc427". The "bad" changeset has the timestamp "20151021011502" and the hash "d1e0b2e1b8ea2e241eebc747c9f2ca85858642f3". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a286c89173e5352fc8831015d7e286fb513fc427&tochange=d1e0b2e1b8ea2e241eebc747c9f2ca85858642f3 Jan, is bug 1215992 or bug 1216151 a likely regressor?
Flags: needinfo?(jdemooij)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x6ad29, 0x0000000100201b64 js-dbg-64-dm-darwin-76bd0c01d72e`js::jit::IonBuilder::processCondSwitchCase(this=<unavailable>, state=<unavailable>) + 1988 at IonBuilder.cpp:4040, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x0000000100201b64 js-dbg-64-dm-darwin-76bd0c01d72e`js::jit::IonBuilder::processCondSwitchCase(this=<unavailable>, state=<unavailable>) + 1988 at IonBuilder.cpp:4040 frame #1: 0x00000001001f3789 js-dbg-64-dm-darwin-76bd0c01d72e`js::jit::IonBuilder::processCfgStack(this=0x0000000102dbe1a8) + 41 at IonBuilder.cpp:2142 frame #2: 0x00000001001f1722 js-dbg-64-dm-darwin-76bd0c01d72e`js::jit::IonBuilder::traverseBytecode(this=0x0000000102dbe1a8) + 306 at IonBuilder.cpp:1484 frame #3: 0x00000001001ed204 js-dbg-64-dm-darwin-76bd0c01d72e`js::jit::IonBuilder::build(this=0x0000000102dbe1a8) + 1476 at IonBuilder.cpp:913 frame #4: 0x00000001001e5914 js-dbg-64-dm-darwin-76bd0c01d72e`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) + 2150 at Ion.cpp:2177 (lldb)
Reporter | ||
Comment 2•9 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/d1e0b2e1b8ea user: Jan de Mooij date: Wed Oct 21 10:09:40 2015 +0200 summary: Bug 1215992 - Terminate control flow for THROWSETCONST/THROWSETALIASEDCONST in IonBuilder. r=shu Jan, is bug 1215992 a more likely regressor?
Blocks: 1215992
Reporter | ||
Comment 3•9 years ago
|
||
The testcase in comment 0 also causes a null-deref at js::GetSrcNoteOffset on js opt shells (tested on m-c rev d53a52b39a95): (lldb) dis -p js-64-dm-darwin-d53a52b39a95`js::jit::MBasicBlock::pop: -> 0x1001c8bc0 <+0>: movl 0x88(%rdi), %eax 0x1001c8bc6 <+6>: decl %eax 0x1001c8bc8 <+8>: movl %eax, 0x88(%rdi) 0x1001c8bce <+14>: movq 0x78(%rdi), %rcx (lldb) register read $rdi rdi = 0x0000000000000000 (lldb) register read $eax eax = 0x0013d380 (lldb) Opt shell configure parameters: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
Reporter | ||
Comment 4•9 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0xc797e, 0x0000000100515b80 js-64-dm-darwin-d53a52b39a95`js::GetSrcNoteOffset(sn=0x0000000000000000, which=<unavailable>) at BytecodeEmitter.cpp:8524, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1) * frame #0: 0x0000000100515b80 js-64-dm-darwin-d53a52b39a95`js::GetSrcNoteOffset(sn=0x0000000000000000, which=<unavailable>) at BytecodeEmitter.cpp:8524 frame #1: 0x000000010013e00c js-64-dm-darwin-d53a52b39a95`js::jit::IonBuilder::processCondSwitchCase(this=0x00000001042f4188, state=0x00000001042f4398) + 92 at IonBuilder.cpp:4049 frame #2: 0x0000000100132898 js-64-dm-darwin-d53a52b39a95`js::jit::IonBuilder::processCfgStack(this=0x00000001042f4188) + 72 at IonBuilder.cpp:2142 frame #3: 0x0000000100131472 js-64-dm-darwin-d53a52b39a95`js::jit::IonBuilder::traverseBytecode(this=0x00000001042f4188) + 322 at IonBuilder.cpp:1484 frame #4: 0x000000010012e046 js-64-dm-darwin-d53a52b39a95`js::jit::IonBuilder::build(this=0x00000001042f4188) + 1798 at IonBuilder.cpp:913
Comment 5•9 years ago
|
||
I'm also seeing several more crashes probably related to this bug. Marking as fuzzblocker.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Assignee | ||
Comment 6•9 years ago
|
||
Turns out terminating control flow for THROWSETCONST in IonBuilder is complicated because it can happen in a lot of places where we don't handle this. Like the 'case b = 0' in this testcase, or 'while (b = 0)' in the other bug. I tried to fix these places but it's a lot of complexity. This patch just treats THROWSETCONST as a non-fallthrough op for simplicity. It's an edge case anyway so not worth spending more time on.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8679414 -
Flags: review?(shu)
Comment 8•9 years ago
|
||
Comment on attachment 8679414 [details] [diff] [review] Patch Review of attachment 8679414 [details] [diff] [review]: ----------------------------------------------------------------- Yeah, this is sensible to me. Sorry for trying to be too clever with the fallthrough thing and botching it. :(
Attachment #8679414 -
Flags: review?(shu) → review+
Assignee | ||
Comment 9•9 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #8) > Sorry for trying to be too clever with the > fallthrough thing and botching it. :( No worries, I also thought it made sense to match JSOP_THROW. Then fuzzing happened :)
Comment 11•9 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/30a015dc8335
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•