558099 - JM: Crash [@ js::methodjit::JaegerShot]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: testcase

This was a hard nut to crack. The testcase crashes 32-bit js debug shell with -m on JM tip at a weird memory address followed by js::methodjit::JaegerShot at SIGILL. (Pass the testcase in as a CLI argument to reproduce)

Stack:

Exception Type:  EXC_BAD_INSTRUCTION (SIGILL)
Exception Codes: 0x0000000000000001, 0x0000000000000000
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   ???                           	0x003ea925 0 + 4106533
1   js-dbg-32-jm-darwin           	0x001e2e7c js::methodjit::JaegerShot(JSContext*) + 408
2   js-dbg-32-jm-darwin           	0x000a1044 js_RunScript + 158
3   js-dbg-32-jm-darwin           	0x000a1593 js_Execute + 1253
4   js-dbg-32-jm-darwin           	0x00012395 JS_ExecuteScript + 54
5   js-dbg-32-jm-darwin           	0x0000ac35 Process(JSContext*, JSObject*, char*, int) + 458 (js.cpp:450)
6   js-dbg-32-jm-darwin           	0x0000b9a2 ProcessArgs(JSContext*, JSObject*, char**, int) + 2326 (js.cpp:870)
7   js-dbg-32-jm-darwin           	0x0000bd6f main + 953 (js.cpp:4975)
8   js-dbg-32-jm-darwin           	0x000029c1 _start + 208
9   js-dbg-32-jm-darwin           	0x000028f0 start + 40

Comment 1

[David Mandelin [:dmandelin]]

Great find. This was in the PIC invalidation code, which happens rarely in normal operation, so it is hard to test for.

http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/0b7f385f3f59

Comment 2

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/pic/bug558099.js.