Last Comment Bug 782129 - IonMonkey: Crash on heap near [@ js::mjit::ic::Call]
: IonMonkey: Crash on heap near [@ js::mjit::ic::Call]
[ion:p1:fx18] [jsbugmon:update,ignore]
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86 Linux
-- major (vote)
: ---
Assigned To: general
: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
Reported: 2012-08-12 09:58 PDT by Christian Holler (:decoder)
Modified: 2013-02-07 05:14 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Fix GetPcScript() when callingIntoIon(). (1.36 KB, patch)
2012-08-13 18:06 PDT, Sean Stangl [:sstangl]
dvander: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-08-12 09:58:26 PDT
The following testcase crashes on ionmonkey revision f1764bf06b29 (run with --ion -n -m --ion-eager):

var callStack = new Array();
function enterFunc (funcName) {
  funcName += "()";
function exitFunc (funcName) {
  var lastFunc = callStack.pop();
  funcName += "()";
  if (lastFunc != funcName)
try {
} catch(exc1) {}
function test() {
  enterFunc ('test');
for (var l = 0; l < 50000; l++) 
  exitFunc ('test');
Comment 1 User image Christian Holler (:decoder) 2012-08-12 09:59:06 PDT
Also happens on 64 bit. Crash info:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f44145 in ?? ()
Missing separate debuginfos, use: debuginfo-install zlib-1.2.3-27.el6.x86_64
(gdb) bt
#0  0x00007ffff7f44145 in ?? ()
#1  0x00007fffffffbfb0 in ?? ()
#2  0x00000000007f5c61 in js::mjit::ic::Call (f=..., ic=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/methodjit/MonoIC.cpp:1291
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x /i $pc
=> 0x7ffff7f44145:      testl  $0x7,(%rcx)
(gdb) info reg rcx
rcx            0x0      0
Comment 2 User image Sean Stangl [:sstangl] 2012-08-13 16:46:11 PDT
This is a type error. We assume that LArrayPopShiftT returns String, when this case goes through ion::ArrayPopDense() and returns UndefinedValue. Since the LIR is typed, we then load the Undefined payload 0x0 and segfault later during LCompareS.
Comment 3 User image Christian Holler (:decoder) 2012-08-13 17:20:41 PDT
JSBugMon: The testcase found in this bug no longer reproduces (tried revision a8235a2a29c2).
Comment 4 User image Sean Stangl [:sstangl] 2012-08-13 18:06:15 PDT
Created attachment 651594 [details] [diff] [review]
Fix GetPcScript() when callingIntoIon().

ion::ArrayPopDense() was correctly calling Monitor() if pop() resulted in an UndefinedValue, but the GetPcScript() function was returning a nonsensical PC when the Ion function was entered via a JM Ion-call IC.
Comment 5 User image Sean Stangl [:sstangl] 2012-08-13 18:16:01 PDT
Comment 6 User image Christian Holler (:decoder) 2013-02-07 05:14:59 PST
Automatically extracted testcase for this bug was committed:

Note You need to log in before you can comment on or make changes to this bug.