657587 - TI: Crash [@ DoMatch]

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

Attachment: shell testcase, unpack, chdir and run main.js with options "-n -m" or "-m"

The attached testcase crashes on optimized TI revision 0cd135eb71a3 (run either with -m -n or with m), tested on 64 bit. Interestingly, the test crashes instantly with -m only and takes a few seconds with -m -n.

Backtrace with -m -n:

==30374== Invalid read of size 8
==30374==    at 0x526711: DoMatch(JSContext*, js::RegExpStatics*, js::Value*, JSString*, RegExpPair const&, bool (*)(JSContext*, js::RegExpStatics*, unsigned long, void*), void*, MatchControlFlags) (jsstr.h:250)
==30374==    by 0x52C4E2: js::str_replace(JSContext*, unsigned int, js::Value*) (jsstr.cpp:2406)
==30374==    by 0x6307AC: CallCompiler::generateNativeStub() (jscntxtinlines.h:293)
==30374==    by 0x62D2F2: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1108)
==30374==    by 0xB6A1C43: ???
==30374==    by 0x5C658D: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, js::Value*) (MethodJIT.cpp:882)
==30374==    by 0x5C679C: js::mjit::JaegerShotAtSafePoint(JSContext*, void*) (MethodJIT.cpp:912)
==30374==    by 0x67EB3D: js::Interpret(JSContext*, js::StackFrame*, unsigned int, js::InterpMode) (jsinterp.cpp:6463)
==30374==    by 0x646BDE: js_InternalInterpret (InvokeHelpers.cpp:1627)
==30374==    by 0x5C5F6D: ??? (in /home/decoder/LangFuzz/jaegermonkey/js/src/shell/js)
==30374==    by 0x5C658D: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, js::Value*) (MethodJIT.cpp:882)
==30374==    by 0x5C6E65: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:912)
==30374==  Address 0x5 is not stack'd, malloc'd or (recently) free'd
==30374==
==30374==
==30374== Process terminating with default action of signal 11 (SIGSEGV)


Backtrace with -m:

==31534== Invalid read of size 1
==31534==    at 0x5CB6BB: js::mjit::Compiler::restoreVarType() (Compiler.cpp:6912)
==31534==    by 0x5E49BF: js::mjit::Compiler::generateMethod() (Compiler.cpp:2217)
==31534==    by 0x5E8C8A: js::mjit::Compiler::performCompilation(js::mjit::JITScript**) (Compiler.cpp:531)
==31534==    by 0x5E8F79: js::mjit::TryCompile(JSContext*, js::StackFrame*) (Compiler.cpp:163)
==31534==    by 0x67D894: js::Interpret(JSContext*, js::StackFrame*, unsigned int, js::InterpMode) (MethodJIT-inl.h:75)
==31534==    by 0x64835B: UncachedInlineCall(js::VMFrame&, unsigned int, void**, bool*, unsigned int) (InvokeHelpers.cpp:432)
==31534==    by 0x648784: js::mjit::stubs::UncachedCallHelper(js::VMFrame&, unsigned int, js::mjit::stubs::UncachedCallResult*) (InvokeHelpers.cpp:503)
==31534==    by 0x631764: CallCompiler::update() (MonoIC.cpp:1034)
==31534==    by 0x62D382: js::mjit::ic::Call(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1094)
==31534==    by 0x41AEC4A: ???
==31534==    by 0x5C658D: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, js::Value*) (MethodJIT.cpp:882)
==31534==    by 0x5C679C: js::mjit::JaegerShotAtSafePoint(JSContext*, void*) (MethodJIT.cpp:912)
==31534==  Address 0x20 is not stack'd, malloc'd or (recently) free'd
==31534== 
==31534== 
==31534== Process terminating with default action of signal 11 (SIGSEGV)

Comment 1

[Brian Hackett [Laid off!]]

Hmm, the problem with -m was fixed yesterday afternoon.  What does this do for you on tip?

Comment 2

[Christian Holler (:decoder)]

(In reply to comment #1)
> Hmm, the problem with -m was fixed yesterday afternoon.  What does this do
> for you on tip?

You are right, now it only crashes with -m -n in the function DoMatch.

Comment 3

[Brian Hackett [Laid off!]]

This WFM now, can you still reproduce?  I can repro on the old changeset, but this doesn't look GC related so it is probably legitimately fixed now.