647199 - TI: Crash [@ js::mjit::EnterMethodJIT]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following code crashes on TI tip (run with -m -n -a), tested on 64 bit:

TryInWhile( new TryObject( "hello", ThrowException, true ) );
function TryObject( value, throwFunction, result ) {
  this.thrower=throwFunction
}
function ThrowException() TryInWhile(1);
function TryInWhile( object ) {
    try {
      object.thrower()
    } catch ( e ) {
    }  
}

Valgrind trace:

==20759== Process terminating with default action of signal 11 (SIGSEGV)
==20759==  Access not within mapped region at address 0x0
==20759==    at 0x1: ???
==20759==    by 0x68C53D: js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) (MethodJIT.cpp:742)
==20759==    by 0x68C666: CheckStackAndEnterMethodJIT(JSContext*, JSStackFrame*, void*) (MethodJIT.cpp:771)
==20759==    by 0x68C7DD: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:795)
==20759==    by 0x4F4D06: js::RunScript(JSContext*, JSScript*, JSStackFrame*) (jsinterp.cpp:682)
==20759==    by 0x4F64A5: js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, unsigned int, js::Value*) (jsinterp.cpp:1094)
==20759==    by 0x43417D: JS_ExecuteScript (jsapi.cpp:5183)
==20759==    by 0x4059FB: Process(JSContext*, JSObject*, char*, int, int) (js.cpp:457)
==20759==    by 0x406826: ProcessArgs(JSContext*, JSObject*, char**, int) (js.cpp:895)
==20759==    by 0x410F06: Shell(JSContext*, int, char**, char**) (js.cpp:5773)
==20759==    by 0x411180: main (js.cpp:5895)

Comment 1

[Brian Hackett [Laid off!]]

The logic for redirecting VMFrame return addresses when expanding inline frames was wrong, and if multiple copies of the expanded script were on the stack the VMFrame could be repointed to the wrong place.

http://hg.mozilla.org/projects/jaegermonkey/rev/9c4d9a6d58e0

Comment 2

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug647199.js.