Closed Bug 640608 Opened 9 years ago Closed 9 years ago

TI: Crash [@ js::mjit::Recompiler::patchNative]

Categories

(Core :: JavaScript Engine, defect, critical)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, regression, testcase, Whiteboard: fixed-in-jaegermonkey)

Crash Data

{
    function x() {}
}
o = (0).__proto__;
function f(o) {
    o._("", function() {})
}
f(o)

crashes js opt shell on JM changeset 8b03f0698742 with -m, -n and -a at js::mjit::Recompiler::patchNative.

This was found using a combination of jsfunfuzz and jandem's method fuzzer.

It's so common it virtually blows up the fuzzers.

Probably regressed around the recent TM->JM merge around this changeset.
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00003895
0x002afa64 in js::mjit::Recompiler::patchNative ()
(gdb) bt
#0  0x002afa64 in js::mjit::Recompiler::patchNative ()
#1  0x002afc0e in js::mjit::Recompiler::recompile ()
#2  0x002b094a in js::mjit::Recompiler::recompile ()
#3  0x00098247 in js::types::TypeCompartment::processPendingRecompiles ()
#4  0x000a5f1b in js::types::TypeCompartment::dynamicPush ()
#5  0x000c9fc4 in js_OnUnknownMethod ()
#6  0x002a19fd in js::mjit::ic::CallProp ()
#7  0x003b51a5 in ?? ()
#8  0x0021c16d in js::mjit::JaegerShot ()
#9  0x000b94ae in js::Interpret ()
#10 0x000cab2c in js::RunScript ()
#11 0x000cd963 in js::Execute ()
#12 0x0001ab5b in JS_ExecuteScript ()
#13 0x0000a30c in Process ()
#14 0x0000bfbb in Shell ()
#15 0x0000c5bc in main ()
There is a VMFrame field now used to indicate whether we are in a native call, which wasn't being initialized.  So we try to recompile and think the VMFrame is in the middle of a native call when it isn't, and crash.

http://hg.mozilla.org/projects/jaegermonkey/rev/719e89901c29
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
Crash Signature: [@ js::mjit::Recompiler::patchNative]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug640608.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.