Closed Bug 642985 Opened 13 years ago Closed 13 years ago

TI: Crash @ [JSFunction::isInterpreted()]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: fixed-in-jaegermonkey) 

The following test case (run with -n -a -m) crashes on TI tip, tested on 64
bit:

gczeal(2);
function complex(aReal, aImag) {}
function mandelbrotValueOO (aC, aIterMax) {
  for (var iter = 0; iter < aIterMax; iter++) {  }
}
function f(trace) {
  const width = 60;
  const height = 60;
  const max_iters = 50;
  var output = [];
  for (let img_x = 0; img_x < width; img_x++) {
    for (let img_y = 0; img_y < height; img_y++) {
      let C = new complex(-2 + (img_x / width) * 3,
                          -1.5 + (img_y / height) * 3);
      var res = mandelbrotValueOO(C, max_iters);
      if (output.length > 0 && complex(5)) {
      } else {
        output.push([res, 1]);
      }
    }
  }
}
var timenonjit = f(false);



==20091== Invalid read of size 2
==20091==    at 0x412F14: JSFunction::isInterpreted() const (jsfun.h:150)
==20091==    by 0x412F41: JSFunction::script() const (jsfun.h:223)
==20091==    by 0x4131D1: JSStackFrame::script() const (jsinterp.h:281)
==20091==    by 0x715BAC: js::mjit::Recompiler::recompile() (Retcon.cpp:269)
==20091==    by 0x4E4069: js::types::TypeCompartment::processPendingRecompiles(JSContext*) (jsinfer.cpp:1938)
==20091==    by 0x414415: js::types::TypeCompartment::checkPendingRecompiles(JSContext*) (jsinferinlines.h:185)
==20091==    by 0x4EDB95: JSScript::typeSetThis(JSContext*, long) (jsinferinlines.h:590)
==20091==    by 0x4E3A40: js::types::TypeCompartment::dynamicCall(JSContext*, JSObject*, js::CallArgs const&, bool) (jsinfer.cpp:1793)
==20091==    by 0x4FC697: JSContext::typeMonitorCall(js::CallArgs const&, bool) (jsinferinlines.h:414)
==20091==    by 0x711A66: js::mjit::stubs::CompileFunction(js::VMFrame&, unsigned int) (InvokeHelpers.cpp:309)
==20091==    by 0x41B0213: ???
==20091==    by 0x68E0DB: js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) (MethodJIT.cpp:744)
==20091==  Address 0x3fc333330000005c is not stack'd, malloc'd or (recently) free'd
==20091== 
==20091== 
==20091== Process terminating with default action of signal 11 (SIGSEGV)
When monitoring argument types at calls to stubs::CompileFunction, we did not wait for the newly pushed frame to be sufficiently initialized.

http://hg.mozilla.org/projects/jaegermonkey/rev/695726698bfe
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug642985-1.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.