Fragment ilist recreation not deterministic when following direct jumps to a future sandbox2ro page

From rnk@google.com on October 08, 2012 14:39:53

This V8 command reproduces the issue:

$ ~/dynamorio/build/install/bin64/drrun -debug -ops "-checklevel 1 -reset_every_nth_pending 0 -stderr_mask 12" ~/v8/out/x64.release/d8 --nobreak-on-abort ~/v8/test/mjsunit/mjsunit.js ~/v8/test/mjsunit/mul-exhaustive-part3.js --test <Application /usr/local/google/home/rnk/v8/out/x64.release/d8 (1688). Internal Error Internal DynamoRIO Error: ../../core/x86/interp.c:5451 target_tag == next_tag (Error occurred @901903 frags)

Some print debugging shows this: target_tag 0x0000107b0c9c6f20, next_tag 0x0000107b0c9c6f29

The trace ends with: +113 L4 @0x00000000416da8f0 e9 ab 42 33 cb jmp $0x0000107b0c9c6f20

So there's some small discrepancy, off by 8 or 9 depending on the run.

Original issue: http://code.google.com/p/dynamorio/issues/detail?id=940