588338 - JM: Crash [@ js::mjit::JaegerShot] with gczeal

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, critical)

Description

[Gary Kwong [:gkw] [:nth10sd]]

function() { (e)
} (x = Proxy.createFunction((function(x) {
  return {
    get: function(r, b) {
      return x[b]
    }
  }
})(/x/), wrap))
for (z = 0;; x.unwatch())
for (e in [0]) {
  gczeal(2)
} ( <x/>)("")


crashes js debug shell on JM changeset 43e1eedfc1cc with -m at js::mjit::JaegerShot

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x9d4efcfa
0x9d4efcfa in ?? ()
(gdb) bt
#0  0x9d4efcfa in ?? ()
Cannot access memory at address 0x9d4efcfa
#1  0x001f1ee5 in js::mjit::JaegerShot (cx=0x809400) at ../methodjit/MethodJIT.cpp:664
#2  0x000bd05a in js::RunScript (cx=0x809400, script=0x50ccd0, fun=0x1406678, scopeChain=0x1402000) at jsinterp.cpp:465
#3  0x000be207 in js::InvokeCommon<int (*)(JSContext*, JSObject*, unsigned int, js::Value*, js::Value*)> (cx=0x809400, fun=0x1406678, script=0x50ccd0, native=0, argsRef=@0xbffff0e4, flags=0) at jsinterp.cpp:638
#4  0x000befb5 in js::Invoke (cx=0x809400, args=@0xbffff0e4, flags=0) at jsinterp.cpp:759
#5  0x000bf5db in js::InternalInvoke (cx=0x809400, thisv=@0xbffff148, fval=@0xbffff178, flags=0, argc=2, argv=0xbffff218, rval=0xbffff398) at jsinterp.cpp:799
#6  0x0011b914 in js::InternalCall (cx=0x809400, obj=0x1402270, fval=@0xbffff178, argc=2, argv=0xbffff218, rval=0xbffff398) at jsinterp.h:680
#7  0x0011cf7e in js::Trap (cx=0x809400, handler=0x1402270, fval={data = {asBits = 18446462628818592416, s = {payload = {i32 = 20980384, u32 = 20980384, boo = 20980384, str = 0x14022a0, obj = 0x14022a0, ptr = 0x14022a0, why = 20980384}, tag = JSVAL_TAG_OBJECT}, asDouble = -nan(0xf0007014022a0)}}, argc=2, argv=0xbffff218, rval=0xbffff398) at ../jsproxy.cpp:332
#8  0x0011ec16 in js::JSScriptedProxyHandler::get (this=0x2dcad4, cx=0x809400, proxy=0x14022d0, receiver=0x14022d0, id={asBits = 20975008}, vp=0xbffff398) at ../jsproxy.cpp:597
#9  0x0011a0d4 in js::JSProxy::get (cx=0x809400, proxy=0x14022d0, receiver=0x14022d0, id={asBits = 20975008}, vp=0xbffff398) at ../jsproxy.cpp:756
#10 0x0011a117 in js::proxy_GetProperty (cx=0x809400, obj=0x14022d0, id={asBits = 20975008}, vp=0xbffff398) at ../jsproxy.cpp:843
#11 0x000d95a4 in js_GetMethod (cx=0x809400, obj=0x14022d0, id={asBits = 20975008}, getHow=2, vp=0xbffff398) at ../jsobj.cpp:4860
#12 0x00233954 in js::mjit::ic::CallProp (f=@0xbffff410, index=1) at ../methodjit/PolyIC.cpp:2059
#13 0x004ef942 in ?? ()
#14 0x001f1ee5 in js::mjit::JaegerShot (cx=0x809400) at ../methodjit/MethodJIT.cpp:664
#15 0x000bd05a in js::RunScript (cx=0x809400, script=0x50c9c0, fun=0x0, scopeChain=0x1402000) at jsinterp.cpp:465
#16 0x000be963 in js::Execute (cx=0x809400, chain=0x1402000, script=0x50c9c0, down=0x0, flags=0, result=0x0) at jsinterp.cpp:951
#17 0x0001719b in JS_ExecuteScript (cx=0x809400, obj=0x1402000, script=0x50c9c0, rval=0x0) at ../jsapi.cpp:4754
#18 0x0000c61d in Process (cx=0x809400, obj=0x1402000, filename=0xbffff93f "jaegerShotCrash.js", forceTTY=0) at ../../shell/js.cpp:441
#19 0x0000d38f in ProcessArgs (cx=0x809400, obj=0x1402000, argv=0xbffff820, argc=2) at ../../shell/js.cpp:861
#20 0x0000d4a8 in shell (cx=0x809400, argc=2, argv=0xbffff820, envp=0xbffff82c) at ../../shell/js.cpp:5133
#21 0x0000d5cc in main (argc=2, argv=0xbffff820, envp=0xbffff82c) at ../../shell/js.cpp:5229
(gdb) x/i $eip
0x9d4efcfa:     Cannot access memory at address 0x9d4efcfa

Comment 1

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: fix

Nice test case. GETELEM PIC kind wasn't handled in reset().

Comment 2

[David Anderson [:dvander] - inactive, e-mail if emergency]

http://hg.mozilla.org/projects/jaegermonkey/rev/24afcf139dca

Comment 3

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug588338.js.