Closed
Bug 646267
Opened 14 years ago
Closed 14 years ago
TI: crash in mjit-generated code
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: crash, testcase)
This crashes jaeger rev f6a77f725bbc. I think the bug has been around for a while; I don't have a precise regression range.
./js -m -a -n
function t(code) {
var f = new Function(code);
try { f(); } catch (e) { }
}
t("");
t("");
t("");
t("this.function::a = 7;");
Comment 1•14 years ago
|
||
Ah, this is due to a recompilation incurred by the CompileFunction stub, which we currently call from an IC (just noticed this was possible recently). We also do this for SplatApplyArgs, which can also cause recompilation. Once bug 638680 lands I can fix this. Unfortunately we can't detect from the recompiler that we are calling C++ from an IC, so we don't patch the return address and jump back to trash memory once the call finishes.
Depends on: 638680
Comment 7•14 years ago
|
||
Fixed this now as it's been showing up a lot in fuzz bugs and I don't know when bug 638680 will reland. Fixes CompileFunction to behave like the other call stubs which either return a code pointer or NULL, so it can use the same rejoin point as those other calls, and use a native-call style write of f.scratch to indicate to the recompiler that the VMFrame is inside a call made from an IC rather than from the script's jitcode.
http://hg.mozilla.org/projects/jaegermonkey/rev/b40247ae7dd5
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 8•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug646267.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•