Closed Bug 779814 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: stackPosition_ < info_.nslots(), at ion/MIRGraph.cpp:332 or Crash [@ vtable for js::ion::MConstant]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 779813

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][ion:p1:fx18]) 

The following testcase asserts on ionmonkey revision 2169bca0c9a5 (run with --ion -n -m --ion-eager):


function f_app(f,n) {
	return f();
}
assertEq(f_app(Math.sqrt, 16), 4);
Opt-crash looks dangerous:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a81d10 in vtable for js::ion::MConstant ()
Missing separate debuginfos, use: debuginfo-install zlib-1.2.3-27.el6.x86_64
(gdb) x /i $pc
=> 0xa81d10 <_ZTVN2js3ion9MConstantE+16>:       rcrb   0x0(%rsp,%rbp,2)
(gdb) info reg rsp rbp
rsp            0x7fffffffc858   0x7fffffffc858
rbp            0x7fffffffc950   0x7fffffffc950
(gdb) bt
#0  0x0000000000a81d10 in vtable for js::ion::MConstant ()
#1  0x000000000072a1a9 in isDefinition (this=0x7fffffffc9c0) at js/src/ion/MIR.h:123
#2  search (this=0x7fffffffc9c0) at js/src/ion/MIR.h:468
#3  MUseDefIterator (this=0x7fffffffc9c0) at js/src/ion/MIR.h:477
#4  markConsumers (this=0x7fffffffc9c0) at js/src/ion/ValueNumbering.cpp:112
#5  js::ion::ValueNumberer::computeValueNumbers (this=0x7fffffffc9c0) at js/src/ion/ValueNumbering.cpp:219
#6  0x000000000072a759 in js::ion::ValueNumberer::analyze (this=0x7fffffffc9c0) at js/src/ion/ValueNumbering.cpp:386
#7  0x00000000006c12f0 in js::ion::BuildMIR (builder=<value optimized out>, graph=...) at js/src/ion/Ion.cpp:748
#8  0x00000000006c4844 in TestCompiler (cx=0xac8670, script=<value optimized out>, fun=<value optimized out>, osrPc=0x0, constructing=<value optimized out>)
    at js/src/ion/Ion.cpp:839
#9  js::ion::IonCompile<js::ion::TestCompiler> (cx=0xac8670, script=<value optimized out>, fun=<value optimized out>, osrPc=0x0, constructing=<value optimized out>)
    at js/src/ion/Ion.cpp:876
#10 0x00000000006c4f3c in Compile<js::ion::TestCompiler> (cx=0xac8670, script=0x7ffff07071a0, fp=0x7ffff09d50d0, newType=<value optimized out>) at js/src/ion/Ion.cpp:992
#11 js::ion::CanEnter (cx=0xac8670, script=0x7ffff07071a0, fp=0x7ffff09d50d0, newType=<value optimized out>) at js/src/ion/Ion.cpp:1082
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.