Crash [@ js::mjit::JITScript::nativeToPC] or [@ js::mjit::JITScript::findCodeChunk]

RESOLVED FIXED in Firefox 14

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: gkw, Assigned: luke)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla16
x86_64
Mac OS X
crash, csectype-dos, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox13 unaffected, firefox14 fixed, firefox15 fixed, firefox16 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [js:t][advisory-tracking-][qa-])

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 638169 [details]
stack

function h(code) {
  f = Function(code);
  g()
}
function g() {
  f()
}
h()
h()
h("\
  arguments[\"0\"];\
  gc();\
")

crashes js opt shell on m-c changeset d9d61d199b11 with -m and -a at js::mjit::JITScript::nativeToPC and crashes js debug shell at js::mjit::JITScript::findCodeChunk

s-s because this concerns gc.
(Reporter)

Comment 1

5 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   97976:d4ac6ac2e618
user:        Luke Wagner
date:        Thu Jun 28 22:50:15 2012 -0700
summary:     Bug 767667 - fix getelem on optimized arguments (r=bhackett)
Blocks: 767667
(Assignee)

Comment 2

5 years ago
Created attachment 638236 [details] [diff] [review]
fix and test

The bug is actually pre-existing, just much easier to trigger with bug 767667.

The bug is that HAS_PREVPC is not getting set when frames are being bailed from the VM.  It seems ExpandInlineFrames is necessary and not implied by Recompiler::clearStackReferences.  Brian: perhaps clearStackReferences should ExpandInlineFrames?  (I some call sites were dominated by ExpandInlineFrames, but not all.)
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #638236 - Flags: review?(bhackett1024)
Whiteboard: js-triage-needed → [js:t]
Comment on attachment 638236 [details] [diff] [review]
fix and test

Yeah, the recompiler stuff could use some streamlining.
Attachment #638236 - Flags: review?(bhackett1024) → review+
(Assignee)

Comment 4

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/07b1a5999430
Target Milestone: --- → mozilla16
(Assignee)

Comment 5

5 years ago
Comment on attachment 638236 [details] [diff] [review]
fix and test

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 733950
User impact if declined: possible crash
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): very low
Attachment #638236 - Flags: approval-mozilla-beta?
Attachment #638236 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 6

5 years ago
https://hg.mozilla.org/mozilla-central/rev/07b1a5999430
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Comment 7

5 years ago
Comment on attachment 638236 [details] [diff] [review]
fix and test

[Triage Comment]
Very low risk fix for a regression in FF14. Approving for branches.
Attachment #638236 - Flags: approval-mozilla-beta?
Attachment #638236 - Flags: approval-mozilla-beta+
Attachment #638236 - Flags: approval-mozilla-aurora?
Attachment #638236 - Flags: approval-mozilla-aurora+

Updated

5 years ago
status-firefox-esr10: --- → unaffected
(Assignee)

Comment 8

5 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/640fd20c0bca
https://hg.mozilla.org/releases/mozilla-beta/rev/74c96ae7ce65
status-firefox14: --- → fixed
status-firefox15: --- → fixed
status-firefox16: --- → fixed
Whiteboard: [js:t] → [js:t][advisory-tracking+]
Blocks: 733950
status-firefox13: --- → unaffected
Keywords: csec-dos
Whiteboard: [js:t][advisory-tracking+] → [js:t][advisory-tracking-]
Group: core-security

Updated

5 years ago
Whiteboard: [js:t][advisory-tracking-] → [js:t][advisory-tracking-][qa-]
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug769987.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.