722598 - Crash [@ js::mjit::JITScript::destroyChunk] or "Assertion failure: i < nchunks,"

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stacks

The testcase to be attached asserts js debug shell on m-c changeset 7cdb5f5d38c6 with -m and -n at Assertion failure: i < nchunks, and crashes js opt shell at js::mjit::JITScript::destroyChunk

s-s because JIT crashes seem scary.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This *might* have been caused by the chunk patch in bug 706914.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

A small testcase, js opt shell 32-bit, m-c changeset feb866aec8d8, with -m, -a, -n :

function whatToTestSpidermonkeyTrunk(code) {
    return {
        e: true,
        g: true & !code.match(/l/) && !(code.match(/=/) && "" != 1) && code.match(/f/) && (e || e.f("") == -1),
        y: true & code.i && f("") == -1
    }
}
whatToTest = whatToTestSpidermonkeyTrunk
function tryItOut(code) {
    if (count == 0) {
        gc()
    }
    whatToTest(code)
    try {
        Function(code)()
    } catch (e) {}
}
count = 0
tryItOut("mjitChunkLimit(13)")
count = tryItOut("")
tryItOut("mjitChunkLimit(72)")
tryItOut("")
tryItOut("")
tryItOut("l")
tryItOut("f")

Comment 4

[Brian Hackett [Laid off!]]

Attachment: patch

Problem with the mjitChunkLimit shell function (so not security-sensitive).  Changing the chunk limit changes the chunk structure of a script which can invalidate invalidation constraints.

Comment 5

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/65872ea859eb

Comment 6

[Marco Bonardo [:mak]]

https://hg.mozilla.org/mozilla-central/rev/65872ea859eb