743706 - Crash [@ JSC::MacroAssemblerCodePtr::executableAddress]

Status: RESOLVED DUPLICATE of bug 743088

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following test crashes on mozilla-central revision d0430a04d92a (options -m -n) with a chance of 10-30%:


var now = "now";
function MyDate() {
  addTestCase() || this, this;
}
function UTCDateFromTime(t) {
  return ( MyDateFromTime(t) );
}
function MyDateFromTime( t ) {
  var d = new MyDate();
}
function addTestCase( startTime, setTime ) {
  var UTCDate   = UTCDateFromTime ( Number(setTime) );
  (let ( offs = setTime.SECTION(TITLE.addTestCase + 3) ) test [ 1   ] );
}
addTestCase( now, -2208988800000 );



The crash does not reproduce in GDB or Valgrind for me, here is a crash trace from a core dump:

Program terminated with signal 11, Segmentation fault.
#0  0x000000000069301e in JSC::MacroAssemblerCodePtr::executableAddress (this=0x0) at ../assembler/assembler/MacroAssemblerCodeRef.h:150
150             return m_value;
(gdb) bt
#0  0x000000000069301e in JSC::MacroAssemblerCodePtr::executableAddress (this=0x0) at ../assembler/assembler/MacroAssemblerCodeRef.h:150
#1  0x00000000006a673c in JSC::RepatchBuffer::RepatchBuffer (this=0x7fff93f31d40, ref=...) at ../assembler/assembler/RepatchBuffer.h:54
#2  0x00000000006a6b34 in js::mjit::ic::Repatcher::Repatcher (this=0x7fff93f31d40, js=0x0) at ../methodjit/ICRepatcher.h:64
#3  0x0000000000741e54 in CallCompiler::disable (this=0x7fff93f31e40) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MonoIC.cpp:583
#4  0x0000000000743e31 in CallCompiler::update (this=0x7fff93f31e40) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MonoIC.cpp:971
#5  0x00000000007440cf in js::mjit::ic::Call (f=..., ic=0x1fe65c8) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MonoIC.cpp:1017
#6  0x00000000006a5dfc in JaegerTrampolineReturn ()
#7  0x00000000006a72a1 in js::mjit::EnterMethodJIT (cx=0x1fd7a80, fp=0x7fceeb17ee80, code=0x7fcef24c5eb8, stackLimit=0x7fceeb54b000, partial=true)
    at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1052
#8  0x00000000006a751f in CheckStackAndEnterMethodJIT (cx=0x1fd7a80, fp=0x7fceeb17ee80, code=0x7fcef24c5eb8, partial=true) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1111
#9  0x00000000006a75e3 in js::mjit::JaegerShot (cx=0x1fd7a80, partial=true) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1123
#10 0x000000000050c2fd in js::Interpret (cx=0x1fd7a80, entryFrame=0x7fceeb17edf0, interpMode=js::JSINTERP_NORMAL) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinterp.cpp:2780
#11 0x000000000075bcfc in UncachedInlineCall (f=..., initial=js::INITIAL_NONE, pret=0x7fff93f32fe8, unjittable=0x7fff93f32ff0, argc=0)
    at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/InvokeHelpers.cpp:375
#12 0x000000000075c215 in js::mjit::stubs::UncachedCallHelper (f=..., argc=0, lowered=false, ucr=0x7fff93f32fe0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/InvokeHelpers.cpp:458
#13 0x0000000000743dfb in CallCompiler::update (this=0x7fff93f33070) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MonoIC.cpp:959
#14 0x00000000007440cf in js::mjit::ic::Call (f=..., ic=0x1fe65c8) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/methodjit/MonoIC.cpp:1017
#15 0x00007fcef24c5db2 in ?? ()
#16 0x00007fcef24c5eb8 in ?? ()
#17 0x0000000000000001 in ?? ()
#18 0x00007fff93f342e0 in ?? ()
#19 0x0000000000000000 in ?? ()


Marking this s-s because the bug is unstable (possible memory corruption) and also the crash signature is known for security problems.

Comment 1

[Luke Wagner [:luke]]

Based on the stack, this is bug 743088, which is crashing trunk on tinderbox every 10 or so builds.