625718 - Crash in mjit generated code

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jan de Mooij [:jandem]]

Attachment: Testcase

Attached file crashes with -m in mjit-generated code.

Comment 1

[Jan de Mooij [:jandem]]

Attachment: Stacktrace

Comment 2

[Jan de Mooij [:jandem]]

Reduced to this:
---
var o3 = new String("foobarbaz");
var o10 = Math;
var o11 = function() {};

function f3(o) { return o; };
function f4(o) { o.g4 = function() {}; };

for(var i=0; i<20; i++) {
    o11[3] = undefined;
    f4(o3);
    f3(o3);
    f4(o11);
    f4(o10);
}

Comment 3

[Jan de Mooij [:jandem]]

Further reduced:
--
function f3() { return 2; };
function f4(o) { o.g4 = function() {}; };

var f = function() {};
f.x = undefined;
f4(new String("x"));
f3();
f4(f);

for(var i=0; i<20; i++) {
    f4(Math);
}

Comment 4

[Jan de Mooij [:jandem]]

I had another testcase that crashed with -m -j  but not with -m. After reducing, it crashes also with -m and I think it's the same issue. It might be easier to debug:
---
var arr = [];
var obj = {};

function f1(o) { 
    o.x = function() {}; 
};
function f2() {};

f1(arr);
f2();
f1(obj);

for(var i=0; i<100; i++) {
    f1(arr);
}

Comment 5

[Chris Leary [:cdleary] (not checking bugmail)]

Attachment: Correct and de-uglify setprop labels.

Jacob said he could run the patch on ARM (and hopefully fix it if it's only a little broken :-) seeing as how I left my ARM board in the office.

Comment 6

[Jacob Bramley [:jbramley]]

Comment on attachment 503841 [details] [diff] [review]
Correct and de-uglify setprop labels.

Giving r+ based on a code review. I'm still testing on ARM, but it doesn't look like it will cause problems.

Comment 7

[Chris Leary [:cdleary] (not checking bugmail)]

http://hg.mozilla.org/tracemonkey/rev/fb2192c7b8c2

Comment 8

[Chris Leary [:cdleary] (not checking bugmail)]

http://hg.mozilla.org/mozilla-central/rev/fb2192c7b8c2