TI: crash in mjit-generated code

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
x86
Mac OS X
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
This crashes jaeger rev f6a77f725bbc. I think the bug has been around for a while; I don't have a precise regression range.

./js -m -a -n

function t(code) {
    var f = new Function(code);
    try { f(); } catch (e) { }
}
t("");
t("");
t("");
t("this.function::a = 7;");
Ah, this is due to a recompilation incurred by the CompileFunction stub, which we currently call from an IC (just noticed this was possible recently).  We also do this for SplatApplyArgs, which can also cause recompilation.  Once bug 638680 lands I can fix this.  Unfortunately we can't detect from the recompiler that we are calling C++ from an IC, so we don't patch the return address and jump back to trash memory once the call finishes.
Depends on: 638680
Duplicate of this bug: 647694
Duplicate of this bug: 648849
Duplicate of this bug: 649959
Duplicate of this bug: 650330
Duplicate of this bug: 651218
Fixed this now as it's been showing up a lot in fuzz bugs and I don't know when bug 638680 will reland.  Fixes CompileFunction to behave like the other call stubs which either return a code pointer or NULL, so it can use the same rejoin point as those other calls, and use a native-call style write of f.scratch to indicate to the recompiler that the VMFrame is inside a call made from an IC rather than from the script's jitcode.

http://hg.mozilla.org/projects/jaegermonkey/rev/b40247ae7dd5
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Depends on: 653981
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug646267.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.