Last Comment Bug 646267 - TI: crash in mjit-generated code
: TI: crash in mjit-generated code
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
-- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
: 647694 648849 649959 650330 651218 (view as bug list)
Depends on: 638680 653981
Blocks: jsfunfuzz infer-regress
  Show dependency treegraph
Reported: 2011-03-29 16:35 PDT by Jesse Ruderman
Modified: 2013-01-14 07:46 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Jesse Ruderman 2011-03-29 16:35:23 PDT
This crashes jaeger rev f6a77f725bbc. I think the bug has been around for a while; I don't have a precise regression range.

./js -m -a -n

function t(code) {
    var f = new Function(code);
    try { f(); } catch (e) { }
t("this.function::a = 7;");
Comment 1 User image Brian Hackett (:bhackett) 2011-03-29 21:38:16 PDT
Ah, this is due to a recompilation incurred by the CompileFunction stub, which we currently call from an IC (just noticed this was possible recently).  We also do this for SplatApplyArgs, which can also cause recompilation.  Once bug 638680 lands I can fix this.  Unfortunately we can't detect from the recompiler that we are calling C++ from an IC, so we don't patch the return address and jump back to trash memory once the call finishes.
Comment 2 User image Brian Hackett (:bhackett) 2011-04-06 11:01:17 PDT
*** Bug 647694 has been marked as a duplicate of this bug. ***
Comment 3 User image Brian Hackett (:bhackett) 2011-04-10 17:16:21 PDT
*** Bug 648849 has been marked as a duplicate of this bug. ***
Comment 4 User image Brian Hackett (:bhackett) 2011-04-14 15:48:28 PDT
*** Bug 649959 has been marked as a duplicate of this bug. ***
Comment 5 User image Brian Hackett (:bhackett) 2011-04-18 16:45:59 PDT
*** Bug 650330 has been marked as a duplicate of this bug. ***
Comment 6 User image Brian Hackett (:bhackett) 2011-04-19 23:20:25 PDT
*** Bug 651218 has been marked as a duplicate of this bug. ***
Comment 7 User image Brian Hackett (:bhackett) 2011-04-26 23:37:29 PDT
Fixed this now as it's been showing up a lot in fuzz bugs and I don't know when bug 638680 will reland.  Fixes CompileFunction to behave like the other call stubs which either return a code pointer or NULL, so it can use the same rejoin point as those other calls, and use a native-call style write of f.scratch to indicate to the recompiler that the VMFrame is inside a call made from an IC rather than from the script's jitcode.
Comment 8 User image Christian Holler (:decoder) 2013-01-14 07:46:43 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug646267.js.

Note You need to log in before you can comment on or make changes to this bug.