743132 - IonMonkey: Assertion failure: safepoint.allSpills().empty(), at ion/IonFrames.cpp:433 or Crash [@ js::HeapPtr<js::BaseShape, unsigned long>::operator]

Status: RESOLVED DUPLICATE of bug 755157

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on ionmonkey revision a9a18824b4c1 (run with --ion -n -m --ion-eager):


gczeal(2);
evaluate("\
  function f(N) {\
    for (var i = 45e13 ; i != N; ++i) {\
      var obj0 = {}, obj1 = {}, obj2 = {};\
      obj2['b'+(i+1)] = 1;\
      for (var repeat = 0;repeat != 2; ++repeat) {\
          for (var k in obj2) {\
            for (var l in obj0)\
            ++count;\
        }\
      }\
    }\
  }\
  var array = [function() { f(10); }, ];\
    for (var i = 0; i != array.length; ++i)\
      array[i]();\
");

Comment 1

[Christian Holler (:decoder)]

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000405a96 in js::Shape::getObjectClass (this=0x7ffff0915000) at ../../jsscope.h:603
603         Class *getObjectClass() const { return base()->clasp; }
(gdb) bt
#0  0x0000000000405a96 in js::Shape::getObjectClass (this=0x7ffff0915000) at ../../jsscope.h:603
#1  0x0000000000406f8e in js::ObjectImpl::getClass (this=0x7ffff0914d80) at ../../vm/ObjectImpl-inl.h:245
#2  0x000000000051c885 in js::GetIterator (cx=0xd05d30, obj=0x7ffff0914d80, flags=1, vp=0x7fffffff4380) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsiter.cpp:694
#3  0x000000000051d06c in js::GetIteratorObject (cx=0xd05d30, obj=0x7ffff0914d80, flags=1) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsiter.cpp:821
#4  0x00007ffff7f4303a in ?? ()
#5  0x0000000000000000 in ?? ()

Comment 2

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 7ac0cbabb3d7).

Comment 3

[Christian Holler (:decoder)]

JSBugMon doesnt seem to be able to reproduce this bug on the original revision. However, I manually checked that this still asserts/crashes on 67bf9a4a1f77, however the symptoms changed:


Stepping through assertion shows:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004137c4 in js::HeapPtr<js::BaseShape, unsigned long>::operator js::BaseShape* (this=0xdadadadadadadada) at ../../gc/Barrier.h:214
214         operator T*() const { return value; }
(gdb) bt 8
#0  0x00000000004137c4 in js::HeapPtr<js::BaseShape, unsigned long>::operator js::BaseShape* (this=0xdadadadadadadada) at ../../gc/Barrier.h:214
#1  0x0000000000405b9c in js::Shape::base (this=0xdadadadadadadada) at ../../jsscope.h:704
#2  0x0000000000405aa6 in js::Shape::getObjectClass (this=0xdadadadadadadada) at ../../jsscope.h:603
#3  0x000000000040708c in js::ObjectImpl::getClass (this=0x7ffff0914d00) at ../../vm/ObjectImpl-inl.h:245
#4  0x000000000051d609 in js::GetIterator (cx=0xd14d40, obj=0x7ffff0914d00, flags=1, vp=0x7fffffff91f0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsiter.cpp:694
#5  0x000000000051ddf0 in js::GetIteratorObject (cx=0xd14d40, obj=0x7ffff0914d00, flags=1) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsiter.cpp:821
#6  0x00007ffff7f4303a in ?? ()
#7  0x00007fffffff95c0 in ?? ()
(More stack frames follow...)
(gdb) x /i $pc
=> 0x4137c4 <js::HeapPtr<js::BaseShape, unsigned long>::operator js::BaseShape*() const+12>:    mov    (%rax),%rax
(gdb) info reg rax
rax            0xdadadadadadadada       -2676586395008836902
(gdb) 


Marking s-s as this looks like a use-after-free condition.