This is really bug 741544, but filing a new bug because the failspam (though useful for noticing the problem) makes it hard to read comments.
I can reproduce on 64-bit OSX with
python ../jit-test/jit_test.py --valgrind --jitflags
=amn shell/js 673812 -so
shell/js -m -n -a -e "const platform='darwin'; const libdir='/Users/dmandelin/sources/mozilla-central/js/src/jit-test/lib/';" -f /Users/dmandelin/sources/mozilla-central/js/src/jit-test/lib/prolog.js -f /Users/dmandelin/sources/mozilla-central/js/src/jit-test/tests/jaeger/recompile/bug673812.js
Annoyingly, it doesn't repro for me in gdb, but it does repro in valgrind. I'll attach a valgrind report, but it's in JITScript::chunkIndex, so guessing chunked compilation.
Created attachment 612760 [details]
I tried reproducing this myself. It happens every 10 runs or so. I was able to bisect it to this:
The first bad revision is:
user: Luke Wagner <email@example.com>
date: Mon Apr 02 08:57:27 2012 -0700
summary: Bug 740654 - Hoist recursion checks out of Interpret into callers so that Interpret does not throw when trying to rejoin from mjit (r=bhackett)
I also have a stack trace. It has over 1000 frames on it, so I only included the top. Given the patch's summary, it seems likely to be related to a stack overflow, I guess.
I looked at a core dump (I can also repro 1 in 10 on Linux). I'm thinking that bug 740654 is tickling a different bug by causing an over-recursed error to appear in a new place. What seems to be happening is that we are in ic::Call, we call stubs::UncachedCallHelper, that throws 'over recursed', and then later in CallCompiler::update, in the "if (!ucr.codeAddr && ucr.unjittable)" branch, we call disable() which passes f.chunk() == NULL to Repatcher which crashes becuase it assumes non-NULL.
Brian, I don't understand chunked compilation, could you weigh in? The f.chunk() == NULL makes me think this this might be a simple error handling issue.
*** Bug 743706 has been marked as a duplicate of this bug. ***
Created attachment 613432 [details] [diff] [review]
As discussed with luke on IRC, the issue is that the IC is trying to disable itself while the callee's frame is still on the stack (the callee throws but doesn't unwind).