585540 - JM: Crash [@ js::mjit::JaegerShot]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

try {
    (function () {
        gczeal(2)()
    })()
} catch (e) {}
(function () {
    for (y in [/x/, Boolean, Boolean, 0, Boolean]) {
        [Math.floor(this)].some(function () {})
    }
})()

crashes js debug shell on JM changeset 703591778058 with -m at js::mjit::JaegerShot


Program received signal SIGSEGV, Segmentation fault.
0xf76a8929 in ?? ()
(gdb) bt
#0  0xf76a8929 in ?? ()
#1  0x08212a16 in js::mjit::JaegerShot (cx=0x8342c68) at ../methodjit/MethodJIT.cpp:696
#2  0x080d98dc in js::RunScript (cx=0x8342c68, script=0x8347c80, fun=0x0, scopeChain=0xf7502000) at ../jsinterp.cpp:466
#3  0x080da6d5 in js::Execute (cx=0x8342c68, chain=0xf7502000, script=0x8347c80, down=0x0, flags=0, result=0xffffd200) at ../jsinterp.cpp:954
#4  0x0806fc54 in JS_ExecuteScript (cx=0x8342c68, obj=0xf7502000, script=0x8347c80, rval=0xffffd200) at ../jsapi.cpp:4740
#5  0x0804c30a in Process (cx=0x8342c68, obj=0xf7502000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:534
#6  0x0804ce99 in ProcessArgs (cx=0x8342c68, obj=0xf7502000, argv=0xffffd408, argc=1) at ../../shell/js.cpp:861
#7  0x08055666 in shell (cx=0x8342c68, argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5034
#8  0x08055782 in main (argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5130
(gdb) x/i $eip
=> 0xf76a8929:	testl  $0xffff0000,(%eax,%eax,1)
(gdb) x/b $eax
0xf7502300:	0x60

Comment 1

[David Anderson [:dvander] - inactive, e-mail if emergency]

callprop patching is broken somewhere

Comment 2

[David Anderson [:dvander] - inactive, e-mail if emergency]

http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/859ade0a4aa8

Comment 4

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug585540.js.