641327 - TI: Crash [@ js::mjit::Recompiler::recompile]

Status: RESOLVED DUPLICATE of bug 641225

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: testcase to be put in a subdirectory

Attached testcase crashes js opt shell on JM changeset bcf148dbce2f with -m, -a, -n, -p and -d at js::mjit::Recompiler::recompile

It does not seem to occur in debug shells.

This is fairly reproducible, place the testcase (sort-of reduced) in a subdirectory then run:

./js -m -a -n -p -d subdir/unreliable.js

This was found using a combination of jsfunfuzz and jandem's method fuzzer.

===

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x002b4b35 in js::mjit::Recompiler::recompile ()
(gdb) bt
#0  0x002b4b35 in js::mjit::Recompiler::recompile ()
#1  0x002b587f in js::mjit::Recompiler::recompile ()
#2  0x00098ba7 in js::types::TypeCompartment::processPendingRecompiles ()
#3  0x00258ab7 in js::types::TypeCompartment::checkPendingRecompiles ()
#4  0x002583f8 in js::mjit::Compiler::performCompilation ()
#5  0x002585f6 in js::mjit::TryCompile ()
#6  0x002b2cff in UncachedInlineCall ()
#7  0x002b30e6 in js::mjit::stubs::UncachedNew ()
#8  0x003d7bfc in ?? ()
#9  0x002208ad in js::mjit::JaegerShot ()
#10 0x000befae in js::Interpret ()
#11 0x000d062c in js::RunScript ()
#12 0x000d3463 in js::Execute ()
#13 0x0001b0ab in JS_ExecuteScript ()
#14 0x0000a8bc in Process ()
#15 0x0000c56b in Shell ()
#16 0x0000cb6c in main ()
(gdb) x/i $pc
0x2b4b35 <_ZN2js4mjit10Recompiler9recompileERNS_6VectorIP12JSStackFrameLm0ENS_18ContextAllocPolicyEEERNS2_INS1_16PatchableAddressELm0ES5_EERNS2_INS0_8CallSiteELm0ES5_EERNS2_INS1_15PatchableNativeELm0ES5_EEj+309>:    mov    %eax,(%edx)

Comment 1

[Brian Hackett [Laid off!]]

This WFM now.  I could repro the crash in the changeset above, and after adding a release-mode crash it died in the same way fixed by bug 641225.