G5 should use smaller branch stanzas, but crashes Google Docs

[GoogleCodeExporter]

The G5 opt build crashes when using Google Docs. It does not crash in DEBUG or 
7450. It also crashes in b2. This is a showstopper.

The backtrace is weird:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x25f9e000
0x067bee10 in JS::UnmarkGrayGCThingRecursively ()
(gdb) bt
#0  0x067bee10 in JS::UnmarkGrayGCThingRecursively ()
#1  0x06855eb4 in JS::UnmarkGrayGCThingRecursively ()
#2  0x068593fc in JS::UnmarkGrayGCThingRecursively ()
#3  0x069ae534 in JS_CopyPropertiesFrom ()
#4  0x0699d0b0 in js_DumpBacktrace ()
#5  0x06797754 in JS::UnmarkGrayGCThingRecursively ()
#6  0x00735d94 in ?? ()
#7  0x067bc694 in JS::UnmarkGrayGCThingRecursively ()
#8  0x067bcf2c in JS::UnmarkGrayGCThingRecursively ()
#9  0x06a7e1d8 in js::GetArrayBufferLengthAndData ()
#10 0x06a8469c in js::GetArrayBufferLengthAndData ()
#11 0x06a85730 in js::GetArrayBufferLengthAndData ()
#12 0x06a86398 in js::GetArrayBufferLengthAndData ()
#13 0x0679a62c in JS::UnmarkGrayGCThingRecursively ()
#14 0x00735888 in ?? ()
#15 0x067bc694 in JS::UnmarkGrayGCThingRecursively ()
#16 0x067bcadc in JS::UnmarkGrayGCThingRecursively ()
#17 0x06a8479c in js::GetArrayBufferLengthAndData ()
#18 0x06a85730 in js::GetArrayBufferLengthAndData ()
#19 0x06949900 in js::VisitGrayWrapperTargets ()
#20 0x06a858f4 in js::GetArrayBufferLengthAndData ()
#21 0x06a759dc in js::GetArrayBufferLengthAndData ()
#22 0x06a8469c in js::GetArrayBufferLengthAndData ()
#23 0x06a85730 in js::GetArrayBufferLengthAndData ()
#24 0x06949900 in js::VisitGrayWrapperTargets ()
#25 0x06a858f4 in js::GetArrayBufferLengthAndData ()
#26 0x06a759dc in js::GetArrayBufferLengthAndData ()
#27 0x06a8469c in js::GetArrayBufferLengthAndData ()
#28 0x06a85730 in js::GetArrayBufferLengthAndData ()
#29 0x06a86398 in js::GetArrayBufferLengthAndData ()
#30 0x0679a62c in JS::UnmarkGrayGCThingRecursively ()
#31 0x00735888 in ?? ()
#32 0x067bc694 in JS::UnmarkGrayGCThingRecursively ()
#33 0x067bcadc in JS::UnmarkGrayGCThingRecursively ()
#34 0x06a7f5cc in js::GetArrayBufferLengthAndData ()
#35 0x06a8469c in js::GetArrayBufferLengthAndData ()
#36 0x06a85730 in js::GetArrayBufferLengthAndData ()
#37 0x06a86398 in js::GetArrayBufferLengthAndData ()
#38 0x0679a62c in JS::UnmarkGrayGCThingRecursively ()
#39 0x00735888 in ?? ()
#40 0x067bc694 in JS::UnmarkGrayGCThingRecursively ()
#41 0x067bcf2c in JS::UnmarkGrayGCThingRecursively ()
#42 0x06a7e1d8 in js::GetArrayBufferLengthAndData ()
#43 0x06a8469c in js::GetArrayBufferLengthAndData ()
#44 0x06a85730 in js::GetArrayBufferLengthAndData ()
#45 0x0694f7e8 in js::VisitGrayWrapperTargets ()
#46 0x06a858f4 in js::GetArrayBufferLengthAndData ()
#47 0x06a86398 in js::GetArrayBufferLengthAndData ()
#48 0x0679a62c in JS::UnmarkGrayGCThingRecursively ()
#49 0x00735888 in ?? ()
#50 0x067bc694 in JS::UnmarkGrayGCThingRecursively ()
#51 0x067bcadc in JS::UnmarkGrayGCThingRecursively ()
#52 0x06a8479c in js::GetArrayBufferLengthAndData ()
#53 0x06a85730 in js::GetArrayBufferLengthAndData ()
#54 0x0694f270 in js::VisitGrayWrapperTargets ()
#55 0x06a858f4 in js::GetArrayBufferLengthAndData ()
#56 0x06949900 in js::VisitGrayWrapperTargets ()
#57 0x1c4c2ae8 in ?? ()
#58 0x067bc694 in JS::UnmarkGrayGCThingRecursively ()
#59 0x067bcadc in JS::UnmarkGrayGCThingRecursively ()
#60 0x06a7f5cc in js::GetArrayBufferLengthAndData ()
#61 0x06a8469c in js::GetArrayBufferLengthAndData ()
#62 0x06a85730 in js::GetArrayBufferLengthAndData ()
#63 0x0694f270 in js::VisitGrayWrapperTargets ()
#64 0x06a858f4 in js::GetArrayBufferLengthAndData ()
#65 0x06a759dc in js::GetArrayBufferLengthAndData ()
#66 0x06a8469c in js::GetArrayBufferLengthAndData ()
#67 0x06a85730 in js::GetArrayBufferLengthAndData ()
#68 0x06949900 in js::VisitGrayWrapperTargets ()
#69 0x1c4c2ae8 in ?? ()
#70 0x067bc694 in JS::UnmarkGrayGCThingRecursively ()
#71 0x067bcadc in JS::UnmarkGrayGCThingRecursively ()
#72 0x06a7f5cc in js::GetArrayBufferLengthAndData ()
#73 0x06a8469c in js::GetArrayBufferLengthAndData ()
#74 0x06a85730 in js::GetArrayBufferLengthAndData ()
#75 0x0694f7e8 in js::VisitGrayWrapperTargets ()
#76 0x06a858f4 in js::GetArrayBufferLengthAndData ()
#77 0x06a759dc in js::GetArrayBufferLengthAndData ()
#78 0x06a8469c in js::GetArrayBufferLengthAndData ()
#79 0x06a85730 in js::GetArrayBufferLengthAndData ()
#80 0x0694f270 in js::VisitGrayWrapperTargets ()
#81 0x06a858f4 in js::GetArrayBufferLengthAndData ()
#82 0x06a759dc in js::GetArrayBufferLengthAndData ()
#83 0x06a8469c in js::GetArrayBufferLengthAndData ()
#84 0x06a84c90 in js::GetArrayBufferLengthAndData ()
#85 0x06915c58 in JS::ReadOnlyCompileOptions::copyPODOptions ()
#86 0x0520cf94 in 
js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
#87 0x0520d35c in 
js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
#88 0x0560417c in 
js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
#89 0x05604668 in 
js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
#90 0x05607e68 in 
js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
#91 0x05601ee8 in 
js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
#92 0x0514e870 in 
js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
#93 0x05150914 in 
js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
#94 0x05129074 in 
js::SecurityWrapper<js::CrossCompartmentWrapper>::~SecurityWrapper ()
#95 0x03fb0434 in XRE_AddJarManifestLocation ()
#96 0x03f2d1ac in 
_ZNSt6vectorIlSaIlEE13_M_insert_auxIIRKlEEEvN9__gnu_cxx17__normal_iteratorIPlS1_
EEDpOT_ ()
#97 0x05028120 in js::BaseProxyHandler::finalizeInBackground ()
#98 0x04fd4b34 in js::BaseProxyHandler::finalizeInBackground ()
#99 0x907df300 in __CFRunLoopDoSources0 ()
#100 0x907de830 in __CFRunLoopRun ()
#101 0x907de2b0 in CFRunLoopRunSpecific ()
#102 0x932bcb20 in RunCurrentEventLoopInMode ()
#103 0x932bc12c in ReceiveNextEventCommon ()
#104 0x932bc020 in BlockUntilNextEventMatchingListInMode ()
#105 0x937a1734 in _DPSNextEvent ()
#106 0x937a13f8 in -[NSApplication 
nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#107 0x04fd3934 in js::BaseProxyHandler::finalizeInBackground ()
#108 0x9379d93c in -[NSApplication run] ()
#109 0x04fd3a38 in js::BaseProxyHandler::finalizeInBackground ()
#110 0x061dc7c0 in XRE_StartupTimelineRecord ()
#111 0x0619b974 in XRE_GetProcessType ()
#112 0x0619e0bc in XRE_GetProcessType ()
#113 0x0619e530 in XRE_main ()
#114 0x00004ee4 in dyld_stub_vfprintf$LDBL128 ()
#115 0x000020ec in start ()
(gdb) q

There is no JIT in the backtrace, but maybe it's a bad backtrace or a 
miscompile. Rebuilding with full symbols in G5.

Original issue reported on code.google.com by classi...@floodgap.com on 5 Jul 2014 at 12:37

[GoogleCodeExporter]

When the G5 version is built with --enable-debug, it doesn't crash either. So 
that probably rules out the JIT.

Original comment by classi...@floodgap.com on 5 Jul 2014 at 4:18

[GoogleCodeExporter]

It's probably not important, but 31b3 on G3 doesn't crash, either.

Original comment by chtru...@web.de on 5 Jul 2014 at 4:40

[GoogleCodeExporter]

Nope, it's the JIT, after all.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x298fe000
js::jit::BaselineScript::pcForReturnOffset (this=<value temporarily 
unavailable, due to optimizations>, script=<value temporarily unavailable, due 
to optimizations>, nativeOffset=16492) at 
/Volumes/BruceDeuce/src/mozilla-31b3/js/src/jit/BaselineJIT.cpp:747
747             if (b & 0x80)
(gdb) bt 10
#0  js::jit::BaselineScript::pcForReturnOffset (this=<value temporarily 
unavailable, due to optimizations>, script=<value temporarily unavailable, due 
to optimizations>, nativeOffset=16492) at 
/Volumes/BruceDeuce/src/mozilla-31b3/js/src/jit/BaselineJIT.cpp:747
#1  0x08b27974 in js::jit::JitFrameIterator::baselineScriptAndPc (this=<value 
temporarily unavailable, due to optimizations>, scriptRes=<value temporarily 
unavailable, due to optimizations>, pcRes=0xeffedc80) at 
/Volumes/BruceDeuce/src/mozilla-31b3/js/src/jit/IonFrames.cpp:271
#2  0x08b2aebc in js::jit::GetPcScript (cx=<value temporarily unavailable, due 
to optimizations>, scriptRes=0xeffee0c0, pcRes=0xeffee130) at 
/Volumes/BruceDeuce/src/mozilla-31b3/js/src/jit/IonFrames.cpp:1313
#3  0x08c7fee4 in JSContext::currentScript (this=0x1c6246a0, ppc=<value 
temporarily unavailable, due to optimizations>, 
allowCrossCompartment=DONT_ALLOW_CROSS_COMPARTMENT) at jscntxtinlines.h:479
#4  0x08c6e1d0 in js::baseops::GetProperty (cx=0x1c6246a0, obj=<incomplete 
type>, receiver=<incomplete type>, id=<incomplete type>, 
vp={<js::MutableHandleBase<JS::Value>> = 
{<js::MutableValueOperations<JS::MutableHandle<JS::Value> >> = 
{<js::ValueOperations<JS::MutableHandle<JS::Value> >> = {<No data fields>}, <No 
data fields>}, <No data fields>}, ptr = 0xeffee678}) at 
/Volumes/BruceDeuce/src/mozilla-31b3/js/src/jsobj.cpp:4283
#5  0x08a694a4 in DoGetPropFallback (cx=0x1c6246a0, frame=0xeffee720, 
stub_=0x2d1d74c0, val={<js::MutableHandleBase<JS::Value>> = 
{<js::MutableValueOperations<JS::MutableHandle<JS::Value> >> = 
{<js::ValueOperations<JS::MutableHandle<JS::Value> >> = {<No data fields>}, <No 
data fields>}, <No data fields>}, ptr = 0x0}, 
res={<js::MutableHandleBase<JS::Value>> = 
{<js::MutableValueOperations<JS::MutableHandle<JS::Value> >> = 
{<js::ValueOperations<JS::MutableHandle<JS::Value> >> = {<No data fields>}, <No 
data fields>}, <No data fields>}, ptr = 0xeffee678}) at jsobj.h:985
#6  0x0074ad94 in ?? ()
#7  0x08a8e3e4 in EnterBaseline (cx=0x1c6246a0, data=@0xeffee910) at 
/Volumes/BruceDeuce/src/mozilla-31b3/js/src/jit/BaselineJIT.cpp:124
#8  0x08a8ec7c in js::jit::EnterBaselineAtBranch (cx=0x1c6246a0, fp=0x296efc10, 
pc=0x297cc73a "?T") at 
/Volumes/BruceDeuce/src/mozilla-31b3/js/src/jit/BaselineJIT.cpp:209
#9  0x08d4fb18 in Interpret (cx=0x1c6246a0, state=@0xeffef0cc) at 
/Volumes/BruceDeuce/src/mozilla-31b3/js/src/vm/Interpreter.cpp:1713
(More stack frames follow...)

Original comment by classi...@floodgap.com on 5 Jul 2014 at 5:21

[GoogleCodeExporter]

(gdb) disas 0x74ad80 0x74adb0
Dump of assembler code from 0x74ad80 to 0x74adb0:
0x0074ad80:     addi    r1,r1,-256
0x0074ad84:     stw     r18,0(r1)
0x0074ad88:     mflr    r18
0x0074ad8c:     lis     r0,2214
0x0074ad90:     bl      0x74ae18
0x0074ad94:     mtlr    r18
0x0074ad98:     lwz     r18,0(r1)
0x0074ad9c:     mr      r1,r16
0x0074ada0:     cmpwi   r3,0
0x0074ada4:     beq-    0x74add8
0x0074ada8:     li      r0,124
0x0074adac:     lwz     r6,0(r1)
End of assembler dump.

Original comment by classi...@floodgap.com on 5 Jul 2014 at 5:35

[GoogleCodeExporter]

Using 970 branching fixes the problem, so we did something wrong with the split.

Original comment by classi...@floodgap.com on 5 Jul 2014 at 7:56

[GoogleCodeExporter]

I'm going to stay with that since we're so close to launching and look at this 
again when I try to get Ion off the ground. There is a performance delta, but 
it's not worth it right now.

Original comment by classi...@floodgap.com on 5 Jul 2014 at 10:34

• Changed title: G5 should use smaller branch stanzas, but crashes Google Docs
• Added labels: Priority-Medium
• Removed labels: Milestone-NextStable, Priority-Critical

[GoogleCodeExporter]

After some more testing, I'm not sure in practice that the performance delta 
with V8 translates into anything meaningful. In fact, the browser "feels" 
quicker with the 970 branching back.

Original comment by classi...@floodgap.com on 6 Jul 2014 at 6:03

[GoogleCodeExporter]

Won't fix. Going to use MIPS instead.

Original comment by classi...@floodgap.com on 30 Aug 2014 at 2:36

• Changed state: WontFix