Closed
Bug 787921
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash with too-much-recursion through [@ js::FunctionToString]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: sstangl)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
1.76 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on ionmonkey revision 68df0d67be37 (run with --ion -n -m): function TestCase(n, d, e, a) { this.bugnumber = typeof(BUGNUMER) != 'undefined' ? BUGNUMBER : ''; this.type = (typeof window == 'undefined' ? 'shell' : 'browser'); gTestcases[gTc++] = this; if (optionName && optionName != "allow_xml") {} {} {} {} // Seems to be required to crash } function f() {} function g(n, h) { var t = g(TestCase.toSource()); } g(80, f);
Reporter | ||
Comment 1•12 years ago
|
||
There is no long stack visible in GDB but I'm still pretty sure this is a call space exhaustion: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff6cde1e2 in _int_malloc () from /lib64/libc.so.6 Missing separate debuginfos, use: debuginfo-install zlib-1.2.3-27.el6.x86_64 (gdb) bt #0 0x00007ffff6cde1e2 in _int_malloc () from /lib64/libc.so.6 #1 0x00007ffff6cdf5ed in malloc () from /lib64/libc.so.6 #2 0x000000000041b3c6 in js_malloc (bytes=1024) at ../dist/include/js/Utility.h:157 #3 0x000000000041ba1d in JSRuntime::malloc_ (this=0x7ffff7fb4010, bytes=1024, cx=0xe6e930) at ../../jscntxt.h:950 #4 0x000000000041ba9a in JSContext::malloc_ (this=0xe6e930, bytes=1024) at ../../jscntxt.h:1449 #5 0x0000000000461926 in js::ContextAllocPolicy::malloc_ (this=0x7fffff3ff2a0, bytes=1024) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jscntxt.h:2071 #6 0x000000000047bbd1 in js::Vector<unsigned short, 32ul, js::ContextAllocPolicy>::convertToHeapStorage (this=0x7fffff3ff2a0, lengthInc=275) at ./dist/include/js/Vector.h:630 #7 0x00000000004798bb in js::Vector<unsigned short, 32ul, js::ContextAllocPolicy>::growStorageBy (this=0x7fffff3ff2a0, incr=275) at ./dist/include/js/Vector.h:652 #8 0x00000000004746d1 in js::Vector<unsigned short, 32ul, js::ContextAllocPolicy>::append<jschar> (this=0x7fffff3ff2a0, insBegin=0x1cf6b540, insEnd=0x1cf6b766) at ./dist/include/js/Vector.h:860 #9 0x0000000000474551 in js::Vector<unsigned short, 32ul, js::ContextAllocPolicy>::append<jschar> (this=0x7fffff3ff2a0, insBegin=0x1cf6b540, length=275) at ./dist/include/js/Vector.h:903 #10 0x0000000000461fd4 in js::StringBuffer::append (this=0x7fffff3ff2a0, str=0x7fffeee49ae0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/vm/StringBuffer.h:102 #11 0x000000000046203f in js::StringBuffer::append (this=0x7fffff3ff2a0, str=0x7fffeee49ae0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/vm/StringBuffer.h:111 #12 0x00000000004ceb34 in js::FunctionToString (cx=0xe6e930, fun=..., bodyOnly=false, lambdaParen=false) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsfun.cpp:716 #13 0x00000000004cefb3 in fun_toStringHelper (cx=0xe6e930, obj=0x7ffff0717e80, indent=32768) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsfun.cpp:762 #14 0x00000000004cf206 in fun_toSource (cx=0xe6e930, argc=0, vp=0x7fffff3ff4e0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsfun.cpp:799 #15 0x00007ffff7f43846 in ?? () #16 0x00007fffff3ff508 in ?? () #17 0x00007fffff3ff4b8 in ?? () #18 0x00007ffff0717e80 in ?? () #19 0x0000000000000000 in ?? () (gdb) x /i $pc => 0x7ffff6cde1e2 <_int_malloc+450>: mov %rcx,0x28(%rsp) (gdb) info reg rcx rsp rcx 0x10 16 rsp 0x7fffff3fefc0 0x7fffff3fefc0
Crash Signature: [@ js::FunctionToString]
Assignee | ||
Comment 2•12 years ago
|
||
The problem is that if an interrupt occurs, we set ionStackLimit to 0, which is supposed to exit into the CheckOverRecursed VMFunction. Since the StackLimit is referring to the C stack, which grows down, setting ionStackLimit to 0 is equivalent to making the stack unlimited. So not only do we never hit the interrupt, but also the ionStackLimit is set to infinite, so we segfault. Setting the ionStackLimit to MAX_POINTER fixes it.
Assignee: general → sstangl
Assignee | ||
Comment 3•12 years ago
|
||
Attachment #659030 -
Flags: review?(dvander)
Updated•12 years ago
|
Attachment #659030 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 4•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/666bf90824f8
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 5•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug787921.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•