Code
tenfourfox - issue #280
G5 should use smaller branch stanzas, but crashes Google Docs
The G5 opt build crashes when using Google Docs. It does not crash in DEBUG or 7450. It also crashes in b2. This is a showstopper.
The backtrace is weird:
Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x25f9e000 0x067bee10 in JS::UnmarkGrayGCThingRecursively () (gdb) bt
0 0x067bee10 in JS::UnmarkGrayGCThingRecursively ()
1 0x06855eb4 in JS::UnmarkGrayGCThingRecursively ()
2 0x068593fc in JS::UnmarkGrayGCThingRecursively ()
3 0x069ae534 in JS_CopyPropertiesFrom ()
4 0x0699d0b0 in js_DumpBacktrace ()
5 0x06797754 in JS::UnmarkGrayGCThingRecursively ()
6 0x00735d94 in ?? ()
7 0x067bc694 in JS::UnmarkGrayGCThingRecursively ()
8 0x067bcf2c in JS::UnmarkGrayGCThingRecursively ()
9 0x06a7e1d8 in js::GetArrayBufferLengthAndData ()
10 0x06a8469c in js::GetArrayBufferLengthAndData ()
11 0x06a85730 in js::GetArrayBufferLengthAndData ()
12 0x06a86398 in js::GetArrayBufferLengthAndData ()
13 0x0679a62c in JS::UnmarkGrayGCThingRecursively ()
14 0x00735888 in ?? ()
15 0x067bc694 in JS::UnmarkGrayGCThingRecursively ()
16 0x067bcadc in JS::UnmarkGrayGCThingRecursively ()
17 0x06a8479c in js::GetArrayBufferLengthAndData ()
18 0x06a85730 in js::GetArrayBufferLengthAndData ()
19 0x06949900 in js::VisitGrayWrapperTargets ()
20 0x06a858f4 in js::GetArrayBufferLengthAndData ()
21 0x06a759dc in js::GetArrayBufferLengthAndData ()
22 0x06a8469c in js::GetArrayBufferLengthAndData ()
23 0x06a85730 in js::GetArrayBufferLengthAndData ()
24 0x06949900 in js::VisitGrayWrapperTargets ()
25 0x06a858f4 in js::GetArrayBufferLengthAndData ()
26 0x06a759dc in js::GetArrayBufferLengthAndData ()
27 0x06a8469c in js::GetArrayBufferLengthAndData ()
28 0x06a85730 in js::GetArrayBufferLengthAndData ()
29 0x06a86398 in js::GetArrayBufferLengthAndData ()
30 0x0679a62c in JS::UnmarkGrayGCThingRecursively ()
31 0x00735888 in ?? ()
32 0x067bc694 in JS::UnmarkGrayGCThingRecursively ()
33 0x067bcadc in JS::UnmarkGrayGCThingRecursively ()
34 0x06a7f5cc in js::GetArrayBufferLengthAndData ()
35 0x06a8469c in js::GetArrayBufferLengthAndData ()
36 0x06a85730 in js::GetArrayBufferLengthAndData ()
37 0x06a86398 in js::GetArrayBufferLengthAndData ()
38 0x0679a62c in JS::UnmarkGrayGCThingRecursively ()
39 0x00735888 in ?? ()
40 0x067bc694 in JS::UnmarkGrayGCThingRecursively ()
41 0x067bcf2c in JS::UnmarkGrayGCThingRecursively ()
42 0x06a7e1d8 in js::GetArrayBufferLengthAndData ()
43 0x06a8469c in js::GetArrayBufferLengthAndData ()
44 0x06a85730 in js::GetArrayBufferLengthAndData ()
45 0x0694f7e8 in js::VisitGrayWrapperTargets ()
46 0x06a858f4 in js::GetArrayBufferLengthAndData ()
47 0x06a86398 in js::GetArrayBufferLengthAndData ()
48 0x0679a62c in JS::UnmarkGrayGCThingRecursively ()
49 0x00735888 in ?? ()
50 0x067bc694 in JS::UnmarkGrayGCThingRecursively ()
51 0x067bcadc in JS::UnmarkGrayGCThingRecursively ()
52 0x06a8479c in js::GetArrayBufferLengthAndData ()
53 0x06a85730 in js::GetArrayBufferLengthAndData ()
54 0x0694f270 in js::VisitGrayWrapperTargets ()
55 0x06a858f4 in js::GetArrayBufferLengthAndData ()
56 0x06949900 in js::VisitGrayWrapperTargets ()
57 0x1c4c2ae8 in ?? ()
58 0x067bc694 in JS::UnmarkGrayGCThingRecursively ()
59 0x067bcadc in JS::UnmarkGrayGCThingRecursively ()
60 0x06a7f5cc in js::GetArrayBufferLengthAndData ()
61 0x06a8469c in js::GetArrayBufferLengthAndData ()
62 0x06a85730 in js::GetArrayBufferLengthAndData ()
63 0x0694f270 in js::VisitGrayWrapperTargets ()
64 0x06a858f4 in js::GetArrayBufferLengthAndData ()
65 0x06a759dc in js::GetArrayBufferLengthAndData ()
66 0x06a8469c in js::GetArrayBufferLengthAndData ()
67 0x06a85730 in js::GetArrayBufferLengthAndData ()
68 0x06949900 in js::VisitGrayWrapperTargets ()
69 0x1c4c2ae8 in ?? ()
70 0x067bc694 in JS::UnmarkGrayGCThingRecursively ()
71 0x067bcadc in JS::UnmarkGrayGCThingRecursively ()
72 0x06a7f5cc in js::GetArrayBufferLengthAndData ()
73 0x06a8469c in js::GetArrayBufferLengthAndData ()
74 0x06a85730 in js::GetArrayBufferLengthAndData ()
75 0x0694f7e8 in js::VisitGrayWrapperTargets ()
76 0x06a858f4 in js::GetArrayBufferLengthAndData ()
77 0x06a759dc in js::GetArrayBufferLengthAndData ()
78 0x06a8469c in js::GetArrayBufferLengthAndData ()
79 0x06a85730 in js::GetArrayBufferLengthAndData ()
80 0x0694f270 in js::VisitGrayWrapperTargets ()
81 0x06a858f4 in js::GetArrayBufferLengthAndData ()
82 0x06a759dc in js::GetArrayBufferLengthAndData ()
83 0x06a8469c in js::GetArrayBufferLengthAndData ()
84 0x06a84c90 in js::GetArrayBufferLengthAndData ()
85 0x06915c58 in JS::ReadOnlyCompileOptions::copyPODOptions ()
86 0x0520cf94 in js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
87 0x0520d35c in js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
88 0x0560417c in js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
89 0x05604668 in js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
90 0x05607e68 in js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
91 0x05601ee8 in js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
92 0x0514e870 in js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
93 0x05150914 in js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
94 0x05129074 in js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
95 0x03fb0434 in XRE_AddJarManifestLocation ()
96 0x03f2d1ac in _ZNSt6vectorIlSaIlEE13_M_insert_auxIIRKlEEEvN9__gnu_cxx17__normal_iteratorIPlS1_EEDpOT_ ()
97 0x05028120 in js::BaseProxyHandler::finalizeInBackground ()
98 0x04fd4b34 in js::BaseProxyHandler::finalizeInBackground ()
99 0x907df300 in __CFRunLoopDoSources0 ()
100 0x907de830 in __CFRunLoopRun ()
101 0x907de2b0 in CFRunLoopRunSpecific ()
102 0x932bcb20 in RunCurrentEventLoopInMode ()
103 0x932bc12c in ReceiveNextEventCommon ()
104 0x932bc020 in BlockUntilNextEventMatchingListInMode ()
105 0x937a1734 in _DPSNextEvent ()
106 0x937a13f8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
107 0x04fd3934 in js::BaseProxyHandler::finalizeInBackground ()
108 0x9379d93c in -[NSApplication run] ()
109 0x04fd3a38 in js::BaseProxyHandler::finalizeInBackground ()
110 0x061dc7c0 in XRE_StartupTimelineRecord ()
111 0x0619b974 in XRE_GetProcessType ()
112 0x0619e0bc in XRE_GetProcessType ()
113 0x0619e530 in XRE_main ()
114 0x00004ee4 in dyld_stub_vfprintf$LDBL128 ()
115 0x000020ec in start ()
(gdb) q
There is no JIT in the backtrace, but maybe it's a bad backtrace or a miscompile. Rebuilding with full symbols in G5.
Comment #1
Posted on Jul 5, 2014 by Massive RhinoWhen the G5 version is built with --enable-debug, it doesn't crash either. So that probably rules out the JIT.
Comment #2
Posted on Jul 5, 2014 by Happy BearIt's probably not important, but 31b3 on G3 doesn't crash, either.
Comment #3
Posted on Jul 5, 2014 by Massive RhinoNope, it's the JIT, after all.
Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x298fe000 js::jit::BaselineScript::pcForReturnOffset (this=, script=, nativeOffset=16492) at /Volumes/BruceDeuce/src/mozilla-31b3/js/src/jit/BaselineJIT.cpp:747 747 if (b & 0x80) (gdb) bt 10
0 js::jit::BaselineScript::pcForReturnOffset (this=, script=, nativeOffset=16492) at /Volumes/BruceDeuce/src/mozilla-31b3/js/src/jit/BaselineJIT.cpp:747
1 0x08b27974 in js::jit::JitFrameIterator::baselineScriptAndPc (this=, scriptRes=, pcRes=0xeffedc80) at /Volumes/BruceDeuce/src/mozilla-31b3/js/src/jit/IonFrames.cpp:271
2 0x08b2aebc in js::jit::GetPcScript (cx=, scriptRes=0xeffee0c0, pcRes=0xeffee130) at /Volumes/BruceDeuce/src/mozilla-31b3/js/src/jit/IonFrames.cpp:1313
3 0x08c7fee4 in JSContext::currentScript (this=0x1c6246a0, ppc=, allowCrossCompartment=DONT_ALLOW_CROSS_COMPARTMENT) at jscntxtinlines.h:479
4 0x08c6e1d0 in js::baseops::GetProperty (cx=0x1c6246a0, obj=, receiver=, id=, vp={> = { >> = { >> = {}, }, }, ptr = 0xeffee678}) at /Volumes/BruceDeuce/src/mozilla-31b3/js/src/jsobj.cpp:4283
5 0x08a694a4 in DoGetPropFallback (cx=0x1c6246a0, frame=0xeffee720, stub_=0x2d1d74c0, val={> = { >> = { >> = {}, }, }, ptr = 0x0}, res={> = { >> = { >> = {}, }, }, ptr = 0xeffee678}) at jsobj.h:985
6 0x0074ad94 in ?? ()
7 0x08a8e3e4 in EnterBaseline (cx=0x1c6246a0, data=@0xeffee910) at /Volumes/BruceDeuce/src/mozilla-31b3/js/src/jit/BaselineJIT.cpp:124
8 0x08a8ec7c in js::jit::EnterBaselineAtBranch (cx=0x1c6246a0, fp=0x296efc10, pc=0x297cc73a "?T") at /Volumes/BruceDeuce/src/mozilla-31b3/js/src/jit/BaselineJIT.cpp:209
9 0x08d4fb18 in Interpret (cx=0x1c6246a0, state=@0xeffef0cc) at /Volumes/BruceDeuce/src/mozilla-31b3/js/src/vm/Interpreter.cpp:1713
(More stack frames follow...)
Comment #4
Posted on Jul 5, 2014 by Massive Rhino(gdb) disas 0x74ad80 0x74adb0 Dump of assembler code from 0x74ad80 to 0x74adb0: 0x0074ad80: addi r1,r1,-256 0x0074ad84: stw r18,0(r1) 0x0074ad88: mflr r18 0x0074ad8c: lis r0,2214 0x0074ad90: bl 0x74ae18 0x0074ad94: mtlr r18 0x0074ad98: lwz r18,0(r1) 0x0074ad9c: mr r1,r16 0x0074ada0: cmpwi r3,0 0x0074ada4: beq- 0x74add8 0x0074ada8: li r0,124 0x0074adac: lwz r6,0(r1) End of assembler dump.
Comment #5
Posted on Jul 5, 2014 by Massive RhinoUsing 970 branching fixes the problem, so we did something wrong with the split.
Comment #6
Posted on Jul 5, 2014 by Massive RhinoI'm going to stay with that since we're so close to launching and look at this again when I try to get Ion off the ground. There is a performance delta, but it's not worth it right now.
Comment #7
Posted on Jul 6, 2014 by Massive RhinoAfter some more testing, I'm not sure in practice that the performance delta with V8 translates into anything meaningful. In fact, the browser "feels" quicker with the 970 branching back.
Comment #8
Posted on Aug 30, 2014 by Massive RhinoWon't fix. Going to use MIPS instead.
Status: WontFix
Labels:
Type-Defect
Priority-Medium