640608 - TI: Crash [@ js::mjit::Recompiler::patchNative]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

{
    function x() {}
}
o = (0).__proto__;
function f(o) {
    o._("", function() {})
}
f(o)

crashes js opt shell on JM changeset 8b03f0698742 with -m, -n and -a at js::mjit::Recompiler::patchNative.

This was found using a combination of jsfunfuzz and jandem's method fuzzer.

It's so common it virtually blows up the fuzzers.

Probably regressed around the recent TM->JM merge around this changeset.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00003895
0x002afa64 in js::mjit::Recompiler::patchNative ()
(gdb) bt
#0  0x002afa64 in js::mjit::Recompiler::patchNative ()
#1  0x002afc0e in js::mjit::Recompiler::recompile ()
#2  0x002b094a in js::mjit::Recompiler::recompile ()
#3  0x00098247 in js::types::TypeCompartment::processPendingRecompiles ()
#4  0x000a5f1b in js::types::TypeCompartment::dynamicPush ()
#5  0x000c9fc4 in js_OnUnknownMethod ()
#6  0x002a19fd in js::mjit::ic::CallProp ()
#7  0x003b51a5 in ?? ()
#8  0x0021c16d in js::mjit::JaegerShot ()
#9  0x000b94ae in js::Interpret ()
#10 0x000cab2c in js::RunScript ()
#11 0x000cd963 in js::Execute ()
#12 0x0001ab5b in JS_ExecuteScript ()
#13 0x0000a30c in Process ()
#14 0x0000bfbb in Shell ()
#15 0x0000c5bc in main ()

Comment 2

[Brian Hackett [Laid off!]]

There is a VMFrame field now used to indicate whether we are in a native call, which wasn't being initialized.  So we try to recompile and think the VMFrame is in the middle of a native call when it isn't, and crash.

http://hg.mozilla.org/projects/jaegermonkey/rev/719e89901c29

Comment 3

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug640608.js.