Last Comment Bug 1188296 - Crash [@ js::jit::IonBuilder::replaceTypeSet] with OOM
: Crash [@ js::jit::IonBuilder::replaceTypeSet] with OOM
Status: RESOLVED DUPLICATE of bug 1191756
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz 912928
  Show dependency treegraph
Reported: 2015-07-28 03:51 PDT by Christian Holler (:decoder)
Modified: 2015-08-12 06:40 PDT (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Christian Holler (:decoder) 2015-07-28 03:51:05 PDT
The following testcase crashes on mozilla-central revision d3228c82badd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-eager --ion-offthread-compile=off):

if (typeof isSurrogatePair === 'undefined') {
    var isSurrogatePair = function isSurrogatePair(s) {
        return s.length == 2 && isHighSurrogate(s[0]) && isLowSurrogate(s[1]);
function test(s, expectedCodePoints) {
    for (var v of s) {
        assertEq(v.length, isSurrogatePair(v) ? 2 : 1);
        singleHighSurrogate = !isSurrogatePair(v) && isHighSurrogate(v);
test('abc', 3);


Program received signal SIGSEGV, Segmentation fault.
js::jit::IonBuilder::replaceTypeSet (this=0x7ffff69b51a8, subject=0x7ffff69b7690, type=0x0, test=0x7ffff69b7c48) at js/src/jit/IonBuilder.cpp:3416
#0  js::jit::IonBuilder::replaceTypeSet (this=0x7ffff69b51a8, subject=0x7ffff69b7690, type=0x0, test=0x7ffff69b7c48) at js/src/jit/IonBuilder.cpp:3416
#1  0x0000000000948196 in js::jit::IonBuilder::improveTypesAtTest (this=this@entry=0x7ffff69b51a8, ins=0x7ffff69b7690, trueBranch=<optimized out>, test=test@entry=0x7ffff69b7c48) at js/src/jit/IonBuilder.cpp:3837
#2  0x000000000095e3ff in js::jit::IonBuilder::jsop_andor (this=0x7ffff69b51a8, op=op@entry=JSOP_AND) at js/src/jit/IonBuilder.cpp:4192
#3  0x000000000098b356 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff69b51a8, op=op@entry=JSOP_AND) at js/src/jit/IonBuilder.cpp:1668
#4  0x000000000098c020 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff69b51a8) at js/src/jit/IonBuilder.cpp:1505
#5  0x000000000098c465 in js::jit::IonBuilder::build (this=0x7ffff69b51a8) at js/src/jit/IonBuilder.cpp:904
#6  0x000000000098f080 in js::jit::IonCompile (cx=cx@entry=0x7ffff6907000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x0, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:2013
#7  0x0000000000994b94 in js::jit::Compile (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2236
#8  0x0000000000994dc6 in js::jit::CanEnter (cx=cx@entry=0x7ffff6907000, state=...) at js/src/jit/Ion.cpp:2390
#9  0x00000000006bbbc5 in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:637
#10 0x00000000006bc234 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:738
#11 0x00000000006bddc6 in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffc178, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:775
#12 0x00000000008e833a in js::jit::DoCallFallback (cx=0x7ffff6907000, frame=0x7fffffffc1d8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc168, res=...) at js/src/jit/BaselineIC.cpp:9867
#13 0x00007ffff7feebdf in ?? ()
#39 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff69b7690	140737330771600
rcx	0x7ffff69b7c48	140737330773064
rdx	0x0	0
rsi	0x7ffff69b7690	140737330771600
rdi	0x7ffff69b51a8	140737330762152
rbp	0x7fffffffb2a0	140737488335520
rsp	0x7fffffffb230	140737488335408
r8	0x0	0
r9	0x53b8	21432
r10	0x4	4
r11	0x4	4
r12	0x7ffff69b51a8	140737330762152
r13	0x7fffffffb2d0	140737488335568
r14	0x7ffff69b7c48	140737330773064
r15	0x7ffff69b5ac8	140737330764488
rip	0x933541 <js::jit::IonBuilder::replaceTypeSet(js::jit::MDefinition*, js::TemporaryTypeSet*, js::jit::MTest*)+17>
=> 0x933541 <js::jit::IonBuilder::replaceTypeSet(js::jit::MDefinition*, js::TemporaryTypeSet*, js::jit::MTest*)+17>:	mov    (%rdx),%eax
   0x933543 <js::jit::IonBuilder::replaceTypeSet(js::jit::MDefinition*, js::TemporaryTypeSet*, js::jit::MTest*)+19>:	mov    %rdx,-0x58(%rbp)
Comment 1 User image Benjamin Bouvier [:bbouvier] 2015-08-12 06:40:54 PDT
Can't reproduce with the patch in bug 1191756, and it's the same signature and the stack trace resembles the one in bug 1191756. Closing as dup.

*** This bug has been marked as a duplicate of bug 1191756 ***

Note You need to log in before you can comment on or make changes to this bug.