[Bug middle-end/65743] [5 regression] LTO+FDO build of Firefox crashes at startup

hubicka at gcc dot gnu.org Sat, 11 Apr 2015 15:32:02 -0700

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65743


--- Comment #1 from Jan Hubicka <hubicka at gcc dot gnu.org> ---
At least I can work out the backtrace:
#0  0x00007ffff4a4291e in js::BaseProxyHandler::hasOwn(JSContext*,
JS::Handle<JSObject*>, JS::Handle<jsid>, bool*) const ()
   from /aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#1  0x00007ffff4ab9231 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>,
JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) ()
   from /aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#2  0x00007ffff4aa0173 in Interpret(JSContext*, js::RunState&) () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#3  0x00007ffff4aaa22b in js::RunScript(JSContext*, js::RunState&) () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#4  0x00007ffff4aabb3d in js::Invoke(JSContext*, JS::CallArgs,
js::MaybeConstruct) () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#5  0x00007ffff4aad421 in js::Invoke(JSContext*, JS::Value const&, JS::Value
const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) ()
   from /aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#6  0x00007ffff4bd16d2 in JS_CallFunctionValue(JSContext*,
JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&,
JS::MutableHandle<JS::Value>) ()
   from /aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#7  0x00007ffff47e7bb3 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*,
unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) ()
   from /aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#8  0x00007ffff4da8eae in PrepareAndDispatch () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#9  0x00007ffff4d68f4b in SharedStub () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#10 0x00007ffff46856b9 in
mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&,
mozilla::ELMCreationDetector&) ()
   from /aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#11 0x00007ffff468600e in
mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&,
mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*,
mozilla::ELMCreationDetector&) () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#12 0x00007ffff4686cbd in mozilla::EventDispatcher::Dispatch(nsISupports*,
nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*,
mozilla::EventDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) ()
from /aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#13 0x00007ffff4687c52 in
mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*,
nsIDOMEvent*, nsPresContext*, nsEventStatus*) ()
   from /aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#14 0x00007ffff489e904 in nsDocument::OnPageHide(bool,
mozilla::dom::EventTarget*) () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#15 0x00007ffff48daeb1 in nsDocumentViewer::PageHide(bool) () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#16 0x00007ffff4c793b5 in nsDocShell::FirePageHideNotification(bool) () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#17 0x00007ffff50aca6e in nsDSURIContentListener::DoContent(char const*, bool,
nsIRequest*, nsIStreamListener**, bool*) ()
   from /aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#18 0x00007ffff4f12bb9 in
nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*)
[clone .constprop.18704] ()
   from /aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#19 0x00007ffff4f2f60b in nsDocumentOpenInfo::DispatchContent(nsIRequest*,
nsISupports*) [clone .constprop.18703] () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#20 0x00007ffff4ef768c in nsDocumentOpenInfo::OnStartRequest(nsIRequest*,
nsISupports*) () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#21 0x00007ffff45fffd7 in nsBaseChannel::OnStartRequest(nsIRequest*,
nsISupports*) () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#22 0x00007ffff46505eb in
nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#23 0x00007ffff45e9e14 in nsInputStreamReadyEvent::Run() () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#24 0x00007ffff464d06c in nsThread::ProcessNextEvent(bool, bool*) () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#25 0x00007ffff4623b4b in NS_ProcessNextEvent(nsIThread*, bool) () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#26 0x00007ffff4623e19 in nsThread::Shutdown() () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#27 0x00007ffff4d6d95d in nsRunnableMethodImpl<tag_nsresult (nsIThread::*)(),
void, true>::Run() () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#28 0x00007ffff465c259 in
mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#29 0x00007ffff4dcd857 in MessageLoop::Run() () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#30 0x00007ffff4e7c9b9 in nsBaseAppShell::Run() () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#31 0x00007ffff505e273 in nsAppStartup::Run() () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#32 0x00007ffff50800c2 in XRE_main () from
/aux/hubicka/firefox6-50-lto-test6-fdo-hg200-b/dist/bin/libxul.so
#33 0x000000000040a9b4 in do_main(int, char**, nsIFile*) [clone .lto_priv.29]
()
#34 0x0000000000409be3 in main ()

It is a virtual call:
Dump of assembler code for function
_ZNK2js16BaseProxyHandler6hasOwnEP9JSContextN2JS6HandleIP8JSObjectEENS4_I4jsidEEPb:
   0x00007ffff4a428c0 <+0>:     push   %rbp
   0x00007ffff4a428c1 <+1>:     mov    %rsp,%rbp
   0x00007ffff4a428c4 <+4>:     push   %rbx
   0x00007ffff4a428c5 <+5>:     mov    %r8,%rbx
   0x00007ffff4a428c8 <+8>:     sub    $0x48,%rsp
   0x00007ffff4a428cc <+12>:    mov    0xc5db0d(%rip),%rax        #
0x7ffff56a03e0 <JSVAL_VOID>
   0x00007ffff4a428d3 <+19>:    lea    0x80(%rsi),%r8
   0x00007ffff4a428da <+26>:    mov    %r8,-0x50(%rbp)
   0x00007ffff4a428de <+30>:    lea    -0x50(%rbp),%r8
   0x00007ffff4a428e2 <+34>:    mov    0x80(%rsi),%r9
   0x00007ffff4a428e9 <+41>:    mov    %r8,0x80(%rsi)
   0x00007ffff4a428f0 <+48>:    add    $0x10,%r8
   0x00007ffff4a428f4 <+52>:    movq   $0x0,-0x40(%rbp)
   0x00007ffff4a428fc <+60>:    movl   $0x0,-0x38(%rbp)
   0x00007ffff4a42903 <+67>:    mov    %rax,-0x20(%rbp)
   0x00007ffff4a42907 <+71>:    mov    (%rdi),%rax
   0x00007ffff4a4290a <+74>:    movq   $0x0,-0x30(%rbp)
   0x00007ffff4a42912 <+82>:    movq   $0x0,-0x28(%rbp)
   0x00007ffff4a4291a <+90>:    mov    %r9,-0x48(%rbp)
=> 0x00007ffff4a4291e <+94>:    callq  *0x10(%rax)
   0x00007ffff4a42921 <+97>:    test   %al,%al
   0x00007ffff4a42923 <+99>:    je     0x7ffff403681a
<_ZNK2js16BaseProxyHandler6hasOwnEP9JSContextN2JS6HandleIP8JSObjectEENS4_I4jsidEEPb.cold.25>

 which usually dispatch to

 <xpc::XrayWrapper<js::CrossCompartmentWrapper,
xpc::DOMXrayTraits>::getOwnPropertyDescriptor(JSContext*,
JS::Handle<JSObject*>, JS::Handle<jsid>,
JS::MutableHandle<JSPropertyDescriptor>) const>
table pointer seems bogus showing to 

this time it goes to

$16 = (void *) 0x7ffff47ddcd0 <xpc::XrayWrapper<js::CrossCompartmentWrapper,
xpc::DOMXrayTraits>::getOwnPropertyDescriptor(JSContext*,
JS::Handle<JSObject*>, JS::Handle<jsid>,
JS::MutableHandle<JSPropertyDescriptor>) const>

which seems sane.

Dump of assembler code for function
_ZNK3xpc11XrayWrapperIN2js23CrossCompartmentWrapperENS_13DOMXrayTraitsEE24getOwnPropertyDescriptorEP9JSContextN2JS6HandleIP8JSObjectEENS8_I4jsidEENS7_13MutableHandleI20JSPropertyDescriptorEE:
   0x00007ffff47ddcd0 <+0>:     push   %rbp
   0x00007ffff47ddcd1 <+1>:     movabs $0xfffbffffffffffff,%r9
   0x00007ffff47ddcdb <+11>:    mov    %rsp,%rbp
   0x00007ffff47ddcde <+14>:    push   %r12
   0x00007ffff47ddce0 <+16>:    push   %rbx
   0x00007ffff47ddce1 <+17>:    sub    $0x20,%rsp
   0x00007ffff47ddce5 <+21>:    mov    (%rdx),%rax
   0x00007ffff47ddce8 <+24>:    mov    0x10(%rax),%rbx
   0x00007ffff47ddcec <+28>:    mov    0x8(%rbx),%r10
   0x00007ffff47ddcf0 <+32>:    cmp    %r9,%r10
   0x00007ffff47ddcf3 <+35>:    jbe    0x7ffff47ddd70
<_ZNK3xpc11XrayWrapperIN2js23CrossCompartmentWrapperENS_13DOMXrayTraitsEE24getOwnPropertyDescriptorEP9JSContextN2JS6HandleIP8JSObjectEENS8_I4jsidEENS7_13MutableHandleI20JSPropertyDescriptorEE+160>
   0x00007ffff47ddcf5 <+37>:    lea    -0x30(%rbp),%r11
   0x00007ffff47ddcf9 <+41>:    mov    %rcx,%r9
   0x00007ffff47ddcfc <+44>:    mov    0x18(%rsi),%rcx
   0x00007ffff47ddd00 <+48>:    mov    %r11,0x18(%rsi)
   0x00007ffff47ddd04 <+52>:    mov    %rdx,%r12
   0x00007ffff47ddd07 <+55>:    mov    %rdi,%rdx
   0x00007ffff47ddd0a <+58>:    movabs $0x7fffffffffff,%rdi
   0x00007ffff47ddd14 <+68>:    sub    $0x8,%rsp
   0x00007ffff47ddd18 <+72>:    and    %r10,%rdi
   0x00007ffff47ddd1b <+75>:    mov    %r8,%rbx
   0x00007ffff47ddd1e <+78>:    lea    0x18(%rsi),%r8
   0x00007ffff47ddd22 <+82>:    push   %rbx
   0x00007ffff47ddd23 <+83>:    mov    %rdi,-0x20(%rbp)
   0x00007ffff47ddd27 <+87>:    mov    %r8,-0x30(%rbp)
   0x00007ffff47ddd2b <+91>:    mov    %rcx,-0x28(%rbp)
   0x00007ffff47ddd2f <+95>:    mov    %r12,%rcx
   0x00007ffff47ddd32 <+98>:    lea    0x10(%r11),%r8
   0x00007ffff47ddd36 <+102>:   lea    0x2471f93(%rip),%rdi        #
0x7ffff6c4fcd0 <_ZN3xpc13DOMXrayTraits9singletonE>
   0x00007ffff47ddd3d <+109>:   callq  0x7ffff47dd180
<_ZN3xpc13DOMXrayTraits18resolveOwnPropertyEP9JSContextRKN2js7WrapperEN2JS6HandleIP8JSObjectEESB_NS8_I4jsidEENS7_13MutableHandleI20JSPropertyDescriptorEE>
   0x00007ffff47ddd42 <+114>:   pop    %rdx
   0x00007ffff47ddd43 <+115>:   pop    %rcx
   0x00007ffff47ddd44 <+116>:   test   %al,%al
   0x00007ffff47ddd46 <+118>:   je     0x7ffff47ddd55
<_ZNK3xpc11XrayWrapperIN2js23CrossCompartmentWrapperENS_13DOMXrayTraitsEE24getOwnPropertyDescriptorEP9JSContextN2JS6HandleIP8JSObjectEENS8_I4jsidEENS7_13MutableHandleI20JSPropertyDescriptorEE+133>
   0x00007ffff47ddd48 <+120>:   cmpq   $0x0,(%rbx)
   0x00007ffff47ddd4c <+124>:   je     0x7ffff47ddd55
<_ZNK3xpc11XrayWrapperIN2js23CrossCompartmentWrapperENS_13DOMXrayTraitsEE24getOwnPropertyDescriptorEP9JSContextN2JS6HandleIP8JSObjectEENS8_I4jsidEENS7_13MutableHandleI20JSPropertyDescriptorEE+133>
   0x00007ffff47ddd4e <+126>:   mov    (%r12),%rsi
   0x00007ffff47ddd52 <+130>:   mov    %rsi,(%rbx)
   0x00007ffff47ddd55 <+133>:   mov    -0x28(%rbp),%r10
   0x00007ffff47ddd59 <+137>:   mov    -0x30(%rbp),%r9
   0x00007ffff47ddd5d <+141>:   mov    %r10,(%r9)
   0x00007ffff47ddd60 <+144>:   lea    -0x10(%rbp),%rsp
   0x00007ffff47ddd64 <+148>:   pop    %rbx
   0x00007ffff47ddd65 <+149>:   pop    %r12
   0x00007ffff47ddd67 <+151>:   pop    %rbp
   0x00007ffff47ddd68 <+152>:   retq   
   0x00007ffff47ddd69 <+153>:   nopl   0x0(%rax)
   0x00007ffff47ddd70 <+160>:   lea    -0x30(%rbp),%rdx
=> 0x00007ffff47ddd74 <+164>:   mov    %rdx,0x18(%rsi)
End of assembler dump.

so apparently we jump to __builtin_unreacahble.

[Bug middle-end/65743] [5 regression] LTO+FDO build of Firefox crashes at startup

Reply via email to