811694 - JM Crash [@ js::mjit::EnterMethodJIT] on Heap with TI disabled

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 4e9567eeb09e (run with -m -a --no-ti):


evaluate('\
var ClassToMethodMap =  { Array: [ "indexOf", "lastIndexOf", "every" ]  };\
function testMethod(Class, className, method) {\
  try  {\
    (0, Class.prototype[method])();\
  }  catch (e)  {  }\
}\
for (var className in ClassToMethodMap) {\
  var Class = this[className];\
  var methodNames = ClassToMethodMap[className];\
  for (var i = 0, sz = methodNames.length; i < sz; i++)   {\
    var method = methodNames[i];\
    testMethod(Class, className, method);\
  }\
}\
', { newContext: false, compileAndGo: true, global: newGlobal('new-compartment') });

Comment 1

[Christian Holler (:decoder)]

Crash traces:


Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7fedb7d in ?? ()
(gdb) bt
#0  0x00007ffff7fedb7d in ?? ()
#1  0x00007ffff7fe8cd2 in ?? ()
#2  0x0000000000000001 in ?? ()
#3  0x00007fffffffd3e0 in ?? ()
#4  0x0000000000000000 in ?? ()
(gdb) x /i $pc
=> 0x7ffff7fedb7d:      mov    0x58(%r15),%r15


==44076== Invalid read of size 8
==44076==    at 0x402BB65: ???
==44076==    by 0x7AACC1: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1043)
==44076==    by 0x7AAF73: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (MethodJIT.cpp:1101)
==44076==    by 0x7AB106: js::mjit::JaegerShotAtSafePoint(JSContext*, void*, bool) (MethodJIT.cpp:1131)
==44076==    by 0x53CFE4: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1374)
==44076==    by 0x7AAD98: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1070)
==44076==    by 0x7AAF73: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (MethodJIT.cpp:1101)
==44076==    by 0x7AB0C2: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1119)
==44076==    by 0x539227: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:323)
==44076==    by 0x53A212: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:515)
==44076==    by 0x53A46C: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:553)
==44076==    by 0x453569: JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) (jsapi.cpp:5540)
==44076==  Address 0x58 is not stack'd, malloc'd or (recently) free'd



Since this bug is with TI disabled, it could affect at least the ARMv6 devices where only JM is used. S-s because this is a heap crash.

Comment 2

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision fc1684f4d3a9).

Comment 3

[Christian Holler (:decoder)]

JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   113132:dd68409d7810
user:        Phil Ringnalda
date:        Tue Nov 13 22:08:22 2012 -0800
summary:     Back out 3da143341145 (bug 784294) and 862f9cd7eb0b (bug 791850) for breaking Jetpack

This iteration took 100.782 seconds to run.

Comment 4

[Christian Holler (:decoder)]

This is fixed by the backout in comment 3.

Comment 5

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.

Comment 6

[u279076]

Can this be put in testsuite?