TI: Crash in mjit-generated code

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
x86
Linux
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
The following testcase crashes on TI revision ac0989a03bf1 (run with options -m
-a -n), tested on 32 bit:

test();
function test() {
  var a = [];
  a*=3;
  a.length;
}


==15780== Invalid read of size 4
==15780==    at 0x57A912F: ???
==15780==  Address 0x1c is not stack'd, malloc'd or (recently) free'd
==15780== 
==15780== 
==15780== Process terminating with default action of signal 11 (SIGSEGV)
==15780==  Access not within mapped region at address 0x1C
==15780==    at 0x57A912F: ???


Original assertion was:

Assertion failure: !fe->isType(JSVAL_TYPE_DOUBLE), at ./methodjit/FrameState-inl.h:511
A broken test caused us to optimize length accesses on known non-objects as if they were known objects.

http://hg.mozilla.org/projects/jaegermonkey/rev/cd01ef66dac7
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Updated

6 years ago
Blocks: 676763
(Reporter)

Comment 2

5 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug650662.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.