Closed Bug 646267 Opened 14 years ago Closed 14 years ago

TI: crash in mjit-generated code

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, testcase)

This crashes jaeger rev f6a77f725bbc. I think the bug has been around for a while; I don't have a precise regression range. ./js -m -a -n function t(code) { var f = new Function(code); try { f(); } catch (e) { } } t(""); t(""); t(""); t("this.function::a = 7;");
Ah, this is due to a recompilation incurred by the CompileFunction stub, which we currently call from an IC (just noticed this was possible recently). We also do this for SplatApplyArgs, which can also cause recompilation. Once bug 638680 lands I can fix this. Unfortunately we can't detect from the recompiler that we are calling C++ from an IC, so we don't patch the return address and jump back to trash memory once the call finishes.
Depends on: 638680
Fixed this now as it's been showing up a lot in fuzz bugs and I don't know when bug 638680 will reland. Fixes CompileFunction to behave like the other call stubs which either return a code pointer or NULL, so it can use the same rejoin point as those other calls, and use a native-call style write of f.scratch to indicate to the recompiler that the VMFrame is inside a call made from an IC rather than from the script's jitcode. http://hg.mozilla.org/projects/jaegermonkey/rev/b40247ae7dd5
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug646267.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.