Closed Bug 787921 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash with too-much-recursion through [@ js::FunctionToString]

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Assigned: sstangl)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on ionmonkey revision 68df0d67be37 (run with --ion -n -m):


function TestCase(n, d, e, a) {
  this.bugnumber = typeof(BUGNUMER) != 'undefined' ? BUGNUMBER : '';
  this.type = (typeof window == 'undefined' ? 'shell' : 'browser');
  gTestcases[gTc++] = this;
  if (optionName && optionName != "allow_xml") {}
  {} {} {} // Seems to be required to crash
}
function f() {}
function g(n, h) {
    var t = g(TestCase.toSource());
}
g(80, f);
There is no long stack visible in GDB but I'm still pretty sure this is a call space exhaustion:


Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6cde1e2 in _int_malloc () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install zlib-1.2.3-27.el6.x86_64
(gdb) bt
#0  0x00007ffff6cde1e2 in _int_malloc () from /lib64/libc.so.6
#1  0x00007ffff6cdf5ed in malloc () from /lib64/libc.so.6
#2  0x000000000041b3c6 in js_malloc (bytes=1024) at ../dist/include/js/Utility.h:157
#3  0x000000000041ba1d in JSRuntime::malloc_ (this=0x7ffff7fb4010, bytes=1024, cx=0xe6e930) at ../../jscntxt.h:950
#4  0x000000000041ba9a in JSContext::malloc_ (this=0xe6e930, bytes=1024) at ../../jscntxt.h:1449
#5  0x0000000000461926 in js::ContextAllocPolicy::malloc_ (this=0x7fffff3ff2a0, bytes=1024) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jscntxt.h:2071
#6  0x000000000047bbd1 in js::Vector<unsigned short, 32ul, js::ContextAllocPolicy>::convertToHeapStorage (this=0x7fffff3ff2a0, lengthInc=275) at ./dist/include/js/Vector.h:630
#7  0x00000000004798bb in js::Vector<unsigned short, 32ul, js::ContextAllocPolicy>::growStorageBy (this=0x7fffff3ff2a0, incr=275) at ./dist/include/js/Vector.h:652
#8  0x00000000004746d1 in js::Vector<unsigned short, 32ul, js::ContextAllocPolicy>::append<jschar> (this=0x7fffff3ff2a0, insBegin=0x1cf6b540, insEnd=0x1cf6b766) at ./dist/include/js/Vector.h:860
#9  0x0000000000474551 in js::Vector<unsigned short, 32ul, js::ContextAllocPolicy>::append<jschar> (this=0x7fffff3ff2a0, insBegin=0x1cf6b540, length=275) at ./dist/include/js/Vector.h:903
#10 0x0000000000461fd4 in js::StringBuffer::append (this=0x7fffff3ff2a0, str=0x7fffeee49ae0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/vm/StringBuffer.h:102
#11 0x000000000046203f in js::StringBuffer::append (this=0x7fffff3ff2a0, str=0x7fffeee49ae0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/vm/StringBuffer.h:111
#12 0x00000000004ceb34 in js::FunctionToString (cx=0xe6e930, fun=..., bodyOnly=false, lambdaParen=false) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsfun.cpp:716
#13 0x00000000004cefb3 in fun_toStringHelper (cx=0xe6e930, obj=0x7ffff0717e80, indent=32768) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsfun.cpp:762
#14 0x00000000004cf206 in fun_toSource (cx=0xe6e930, argc=0, vp=0x7fffff3ff4e0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsfun.cpp:799
#15 0x00007ffff7f43846 in ?? ()
#16 0x00007fffff3ff508 in ?? ()
#17 0x00007fffff3ff4b8 in ?? ()
#18 0x00007ffff0717e80 in ?? ()
#19 0x0000000000000000 in ?? ()
(gdb) x /i $pc
=> 0x7ffff6cde1e2 <_int_malloc+450>:    mov    %rcx,0x28(%rsp)
(gdb) info reg rcx rsp
rcx            0x10     16
rsp            0x7fffff3fefc0   0x7fffff3fefc0
Crash Signature: [@ js::FunctionToString]
The problem is that if an interrupt occurs, we set ionStackLimit to 0, which is supposed to exit into the CheckOverRecursed VMFunction. Since the StackLimit is referring to the C stack, which grows down, setting ionStackLimit to 0 is equivalent to making the stack unlimited. So not only do we never hit the interrupt, but also the ionStackLimit is set to infinite, so we segfault. Setting the ionStackLimit to MAX_POINTER fixes it.
Assignee: general → sstangl
Attached patch fixSplinter Review
Attachment #659030 - Flags: review?(dvander)
Attachment #659030 - Flags: review?(dvander) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/666bf90824f8
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug787921.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.