450830 - TM: Crash when compiling iterator code.

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Andreas Gal :gal]

count=8; tryItOut("for (var oncx = 0; oncx < 3; ++oncx) { yield eval(\" \\\"\\\" \", <y><z/></y>); } ");
It's an iterator!
recording starting from fuzz.js:599@9
    trace

import vp=0x3402c8 name=$callee0 type=object flags=0
import vp=0x3402cc name=$this0 type=object flags=0
import vp=0x3402d0 name=$<anonymous>.oncx type=int flags=0
abort: 3473: fp->scopeChain is not global object
Abort recording (line 599, pc 9): JSOP_CALLNAME.
Trashing tree info.
recording starting from fuzz.js:753@93
    trace

import vp=0x835320 name=$callee0 type=object flags=0
import vp=0x835324 name=$this0 type=object flags=0
import vp=0x835328 name=$tryIteration.rv type=object flags=0
import vp=0x8353a4 name=$tryIteration.iterCount type=int flags=0
import vp=0x8353a8 name=$tryIteration.iterValue type=string flags=0
import vp=0x8353ac name=$stack0 type=object flags=0
    state = param ecx
    param1 = param edx
    sp = ld state[0]
    rp = ld state[4]
    cx = ld state[12]
    gp = ld state[8]
    eos = ld state[JSVAL_ERROR_COOKIE]
    eor = ld state[20]
    $callee0 = ld sp[-40]
    $this0 = ld sp[-32]
    $tryIteration.rv = ld sp[-24]
    ld1 = ld sp[-16]
    $tryIteration.iterCount = i2f ld1
    $tryIteration.iterValue = ld sp[-8]
    $stack0 = ld sp[0]
    FastCallIteratorNext1 = FastCallIteratorNext ( cx $stack0 )
    eq1 = eq FastCallIteratorNext1, JSVAL_ERROR_COOKIE
    xt1: xt eq1 -> 0x306fed sp+8 rp+0

    eq2 = eq FastCallIteratorNext1, JSVAL_HOLE
    eq3 = eq eq2, 0
    or1 = or $tryIteration.iterValue, JSVAL_STRING
    cmov1 = eq3 ? FastCallIteratorNext1 : or1
    and1 = and cmov1, JSVAL_TAGMASK
    eq4 = eq and1, JSVAL_STRING
    xf1: xf eq4 -> 0x306fed sp+8 rp+0


Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x00121e99 in nanojit::LIns::isop (this=0x0, o=nanojit::LIR_i2f) at LIR.h:311
311			bool isop(LOpcode o) const { return u.code == o; }
(gdb) bt
#0  0x00121e99 in nanojit::LIns::isop (this=0x0, o=nanojit::LIR_i2f) at LIR.h:311
#1  0x0010d6da in isPromoteInt (i=0x0) at jstracer.cpp:275
#2  0x00122e54 in FuncFilter::ins2 (this=0x341a30, v=nanojit::LIR_fadd, s0=0x0, s1=0x1020138) at jstracer.cpp:359
#3  0x00114a55 in TraceRecorder::inc (this=0x341930, v=@0x3402d0, v_ins=@0xbfffbe3c, incr=1, pre=true) at jstracer.cpp:2148
#4  0x00114b45 in TraceRecorder::inc (this=0x341930, v=@0x3402d0, incr=1, pre=true) at jstracer.cpp:2129
#5  0x0011c4a3 in TraceRecorder::record_JSOP_INCLOCAL (this=0x341930) at jstracer.cpp:4219
#6  0x0008597b in js_Interpret (cx=0x300ca0) at jsopcode.tbl:233
#7  0x00092a7e in SendToGenerator (cx=0x300ca0, op=JSGENOP_NEXT, obj=0x2537c0, gen=0x340250, arg=22) at jsiter.cpp:874
#8  0x00093000 in generator_op (cx=0x300ca0, op=JSGENOP_NEXT, vp=0x8353d0, argc=0) at jsiter.cpp:987
#9  0x00093068 in generator_next (cx=0x300ca0, argc=0, vp=0x8353d0) at jsiter.cpp:1002
#10 0x0008fa5e in js_Invoke (cx=0x300ca0, argc=0, vp=0x8353d0, flags=0) at jsinterp.cpp:1187
#11 0x00090132 in js_InternalInvoke (cx=0x300ca0, obj=0x2537c0, fval=2408784, flags=0, argc=0, argv=0x0, rval=0xbfffdb80) at jsinterp.cpp:1379
#12 0x0009230d in js_CallIteratorNext (cx=0x300ca0, iterobj=0x2537c0, rval=0xbfffdb80) at jsiter.cpp:613
#13 0x000629b9 in js_Interpret (cx=0x300ca0) at jsinterp.cpp:3181
#14 0x0008e9e7 in js_Execute (cx=0x300ca0, chain=0x23e000, script=0x838e00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1545
#15 0x00018e20 in JS_ExecuteScript (cx=0x300ca0, obj=0x23e000, script=0x838e00, rval=0x0) at jsapi.cpp:4942
#16 0x00002afe in Process (cx=0x300ca0, obj=0x23e000, filename=0xbffffa14 "fuzz.js", forceTTY=0) at js.cpp:277
#17 0x0000830e in ProcessArgs (cx=0x300ca0, obj=0x23e000, argv=0xbffff918, argc=2) at js.cpp:568
#18 0x00009484 in main (argc=2, argv=0xbffff918, envp=0xbffff924) at js.cpp:3983

Comment 2

[Jesse Ruderman]

The testcase in the dup WFM.  I turned the iteration stuff in the fuzzer back on and didn't find any crashes/assertions in the first few seconds.  If I do find anything, it will be a new bug :)