[v8-dev] Issue 3992 in v8: MIPS64: exceptions in regexp leads to retry rather than rethrow.

[codesite-noreply via v8-dev]

Status: Assigned
Owner: plin...@gmail.com
CC: kilva...@homejinni.com,  dusan.mi...@imgtec.com
Labels: Type-Bug Priority-Medium
New issue 3992 by yang...@chromium.org: MIPS64: exceptions in regexp leads  
to retry rather than rethrow.
https://code.google.com/p/v8/issues/detail?id=3992

I found this while fixing a regexp issue  
(https://codereview.chromium.org/1034173002/).

Test, run with --stack-size=100

(function f() { f(/./.test("a")); })();


#
# Fatal error in ../src/isolate.cc, line 933
# Check failed: !has_pending_exception().
#

==== C stack trace ===============================

 1: V8_Fatal
 2: v8::internal::Isolate::Throw(v8::internal::Object*,  
v8::internal::MessageLocation*)
 3: v8::internal::Isolate::StackOverflow()
 4: v8::internal::RegExpMacroAssemblerMIPS::CheckStackGuardState(unsigned  
char**, v8::internal::Code*, unsigned char*)
 5: v8::internal::Simulator::SoftwareInterrupt(v8::internal::Instruction*)
 6: v8::internal::Simulator::DecodeTypeRegister(v8::internal::Instruction*)
 7: v8::internal::Simulator::InstructionDecode(v8::internal::Instruction*)
 8: v8::internal::Simulator::Execute()
 9: v8::internal::Simulator::CallInternal(unsigned char*)
10: v8::internal::Simulator::Call(unsigned char*, int, ...)
11: v8::internal::NativeRegExpMacroAssembler::Execute(v8::internal::Code*,  
v8::internal::String*, int, unsigned char const*, unsigned char const*,  
int*, int, v8::internal::Isolate*)
12:  
v8::internal::NativeRegExpMacroAssembler::Match(v8::internal::Handle<v8::internal::Code>,  
v8::internal::Handle<v8::internal::String>, int*, int, int,  
v8::internal::Isolate*)
13:  
v8::internal::RegExpImpl::IrregexpExecRaw(v8::internal::Handle<v8::internal::JSRegExp>,  
v8::internal::Handle<v8::internal::String>, int, int*, int)
14:  
v8::internal::RegExpImpl::IrregexpExec(v8::internal::Handle<v8::internal::JSRegExp>,  
v8::internal::Handle<v8::internal::String>, int,  
v8::internal::Handle<v8::internal::JSArray>)
15:  
v8::internal::RegExpImpl::Exec(v8::internal::Handle<v8::internal::JSRegExp>,  
v8::internal::Handle<v8::internal::String>, int,  
v8::internal::Handle<v8::internal::JSArray>)
16: 0x11c2d76
17: v8::internal::Runtime_RegExpExec(int, v8::internal::Object**,  
v8::internal::Isolate*)
18: v8::internal::Simulator::SoftwareInterrupt(v8::internal::Instruction*)
19: v8::internal::Simulator::DecodeTypeRegister(v8::internal::Instruction*)
20: v8::internal::Simulator::InstructionDecode(v8::internal::Instruction*)
21: v8::internal::Simulator::Execute()
22: v8::internal::Simulator::CallInternal(unsigned char*)
23: v8::internal::Simulator::Call(unsigned char*, int, ...)
24: 0xbbd6e0
25: v8::internal::Execution::Call(v8::internal::Isolate*,  
v8::internal::Handle<v8::internal::Object>,  
v8::internal::Handle<v8::internal::Object>, int,  
v8::internal::Handle<v8::internal::Object>*, bool)
26: v8::Script::Run(v8::Local<v8::Context>)
27: v8::Script::Run()
28: v8::Shell::ExecuteString(v8::Isolate*, v8::Handle<v8::String>,  
v8::Handle<v8::Value>, bool, bool, v8::Shell::SourceType)
29: v8::SourceGroup::Execute(v8::Isolate*)
30: v8::Shell::RunMain(v8::Isolate*, int, char**)
31: v8::Shell::Main(int, char**)
32: main
33: __libc_start_main
34: 0xa381d4
Illegal instruction (core dumped)



The reason seems to be this:

- We eventually run out of stack space, causing stack overflow to be thrown.
- The regexp code returns with -1 for exception.
- The code that deals with the return value is this:

  __ Branch(&success, eq, v0, Operand(1));
  // We expect exactly one result since we force the called regexp to behave
  // as non-global.
  Label failure;
  __ Branch(&failure, eq, v0, Operand(NativeRegExpMacroAssembler::FAILURE));
  // If not exception it can only be retry. Handle that in the runtime  
system.
  __ Branch(&runtime, ne, v0,  
Operand(NativeRegExpMacroAssembler::EXCEPTION));


The code from the second branch on disassembles into
  0x60256360  6401ffff       daddiu  at, zero_reg, -1
  0x60256364  144100ea       bne     v0, at, 234
  0x60256368  00000000       nop
  0x6025636c  3c050000       lui     a1, 0x0
  0x60256370  34a52500       ori     a1, a1, 0x2500
  0x60256374  00052c38       dsll    a1, a1, 16
  0x60256378  34a54141       ori     a1, a1, 0x4141
  0x6025637c  3c060000       lui     a2, 0x0
  0x60256380  34c60237       ori     a2, a2, 0x237
  0x60256384  00063438       dsll    a2, a2, 16


Stepping to 0x60256364 (the bne instruction), we can look at v0 and at

sim> p v0
v0: 0xffffffff 4294967295
sim> p at
at: 0xffffffffffffffff -1

The comparison fails, so instead of falling through to rethrowing the  
exception, we jump to runtime to retry the regexp. There we hit the stack  
overflow again. Throwing the stack overflow the second time causes  
assertion failure.



--
You received this message because this project is configured to send all  
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.