Closed Bug 672123 Opened 13 years ago Closed 13 years ago

TI: Crash [@ js::mjit::stubs::UncachedCallHelper] or SIGTRAP with testcase

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

function h(code) {
    f = eval("(function(){" + code + "})")
    g()
}
function g() {
    try {
        f()
    } catch (r) {}
}
h("")
for (i = 0; i < 9; i++) {
    h("")
}
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("")
h("\"\"(gc())")

hits a SIGTRAP on js debug shell on JM changeset 7f471e15146e with -m and -n.

Program received signal SIGTRAP, Trace/breakpoint trap.
0xf73f0276 in ?? ()
(gdb) bt
#0  0xf73f0276 in ?? ()
#1  0xf740a830 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
function tryItOut(code) {
  var f = g(code.replace(g, ""))
  try {
    f()
  } catch (e) {}
}
function g(s) {
  return new Function(s)
}
for (let a = 0; a < 50; a++) {
  tryItOut("\"use strict\";for(let d in[(void 0)]){unctional=gc()}\
")
}

is a testcase that hits a SIGTRAP on js debug shell, but also crashes a js shell at js::mjit::stubs::UncachedCallHelper

Tested on 32-bit js shell on JM changeset 7f471e15146e with -m and -n.

(gdb) bt
#0  js::mjit::stubs::UncachedCallHelper (f=..., argc=73, lowered=true, ucr=0xffffcc20) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-73580-7f471e15146e/compilePath/js/src/methodjit/InvokeHelpers.cpp:444
#1  0x082a6a53 in update (f=<value optimized out>, ic=<value optimized out>) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-73580-7f471e15146e/compilePath/js/src/methodjit/MonoIC.cpp:1075
#2  js::mjit::ic::Call (f=<value optimized out>, ic=<value optimized out>) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-73580-7f471e15146e/compilePath/js/src/methodjit/MonoIC.cpp:1135
#3  0xf73f0736 in ?? ()
#4  0x08379ff4 in ?? ()
Crash Signature: [@ js::mjit::stubs::UncachedCallHelper]
Summary: TI: SIGTRAP with testcase → TI: Crash [@ js::mjit::stubs::UncachedCallHelper] or SIGTRAP with testcase
I've also seen variants crash opt shell at internalAppend or js::mjit::ic::CallName.
With inference enabled, during GC we now wipe out all JIT code in the compartment but don't fixup the ncode values of the frames on the stack (would take a decent amount of work to repoint all of them to the interpoline).  This requires that we only enter JIT code from EnterMethodJIT, which will overwrite the entry frame's ncode, and nothing will see the old stale values.  This requirement was being broken when throwing an exception, which would enter the JIT code directly, compiling new code if necessary.  When the frame with the exception/finally handler finished, it would jump to its now-garbage ncode and havoc ensues.

The fix makes InternalThrow behave like InternalInterpret: don't try to finish the frame, just point the registers to the right place and then resume execution in the interpreter.

http://hg.mozilla.org/projects/jaegermonkey/rev/85b77c0781b6
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug672123.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.