584644 - JM: Crash [@ 0xd7c91f6c]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

x = Math.tan(this)
Function("\
  for each(let a in[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]) {\
    for each(l in[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,x,0,0,0,0,0,0,0,0,x]) {\
      function aaaaa(){}\
      aaaaa()\
    }\
  }\
")()

crashes js debug and opt shell on Mac 32-bit on JM changeset 6347cf00d3ab with -m at a weird memory address near js::mjit::JaegerShot.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xd7c91f6c
0x004c9eeb in ?? ()
(gdb) bt
#0  0x004c9eeb in ?? ()
#1  0x001f642b in js::mjit::JaegerShot (cx=0x50a900) at ../methodjit/MethodJIT.cpp:696
#2  0x000b993b in js::RunScript (cx=0x50a900, script=0x50dbb0, fun=0x0, scopeChain=0x702000) at jsinterp.cpp:466
#3  0x000bae9c in js::Execute (cx=0x50a900, chain=0x702000, script=0x50dbb0, down=0x0, flags=0, result=0xbffff680) at jsinterp.cpp:954
#4  0x00017d30 in JS_ExecuteScript (cx=0x50a900, obj=0x702000, script=0x50dbb0, rval=0xbffff680) at ../jsapi.cpp:4737
#5  0x0000cc5a in Process (cx=0x50a900, obj=0x702000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:534
#6  0x0000d65f in ProcessArgs (cx=0x50a900, obj=0x702000, argv=0xbffff84c, argc=1) at ../../shell/js.cpp:861
#7  0x0000d778 in shell (cx=0x50a900, argc=1, argv=0xbffff84c, envp=0xbffff854) at ../../shell/js.cpp:5010
#8  0x0000d89c in main (argc=1, argv=0xbffff84c, envp=0xbffff854) at ../../shell/js.cpp:5106
(gdb) x/i $eip
0x4c9eeb:       movl   $0xffff00ff,-0x2936e1c4(%ebx)

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This occurs on Linux 32-bit as well.

Comment 2

[David Anderson [:dvander] - inactive, e-mail if emergency]

http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/1f1ebc480270

Comment 4

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug584644-2.js.