934427 - Crash [@ ScriptFromCalleeToken]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 3dd1dc64123a (run with --fuzzing-safe):


test();
function test() {
var a1; var a2; var a3; var a4; var a5; var a6; var a7; var a8; var a9;
var p1=test();
var a11; var a12; var a13; var a14; var a15; var a16; var a17; var a18;
var a19; var a20; var a21; var a22; var a23; var a24; var a25; var a26; var a27; var a28;
var a29; var a30; var a31; var a32; var a33; var a34; var a35; var a36; var a37; var a38;
var a39; var a40; var a41; var a42; var a43; var a44; var a45; var a46; var a47; var a48;
var a49; var a50; var a51; var a52; var a53; var a54; var a55; var a56; var a57; var a58;
var a59; var a60; var a61; var a62; var a63; var a64; var a65; var a66; var a67; var a68;
var a69; var a70; var a71;
function testcase() {
    eval("true = 42");
}
var a73; var a74; var a75; var a76; var a77; var a78; var a79; var a80; var a81; var a82;
var a83; var a84; var a85; var a86; var a87; var a88; var a89; var a90; var a91; var a92;
var a93; var a94; var a95; var a96; var a97; var a98; var a99; var a100; var a101; var a102;
var a103; var a104; var a105; var a106;
var [ [ handler , [x]    ]    ]  = 40;
var a108; var a109; var a110; var a111; var a112; var a113; var a114; var a115; var a116;
var a117; var a118; var a119; var a120; var a121; var a122;
}

Comment 1

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 2

[Christian Holler (:decoder)]

Shorter test:

function f(){
  var j;
  f(0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,
      0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,
      0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,
      0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,
      0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,
      0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,
      0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9);
}
f()

Comment 3

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 4

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/c532cabb71ec
parent:      153134:ad2a5a4f53ec
user:        Kannan Vijayan
date:        Fri Nov 01 15:04:01 2013 -0400
summary:     Bug 852175 - Fix baseline stack checks on functions which may push lots of locals. r=jandem

This iteration took 422.542 seconds to run.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Kannan, is bug 852175 a likely regressor?

Comment 6

[Kannan Vijayan [:djvj]]

Seems likely.

Comment 7

[Kannan Vijayan [:djvj]]

Attachment: fix-vmcall-bug-934427.patch

Issue is in CallVM handling from baseline mainline jitcode.  There are some CallVMs that may be entered in a "may or may not have locals pushed" context, if a failure occurred.

This applies to initScopeChain callVMs, as well as stackCheck callVMs.

Fix changes the 'preInitialize' flag into a 'Phase' enum that identifies the different contexts that callVMs can be called from.

Comment 8

[Kannan Vijayan [:djvj]]

Note: Just added test case to patch.

Comment 10

[Kannan Vijayan [:djvj]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/14eb74502c41

Comment 11

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/14eb74502c41