Last Comment Bug 650662 - TI: Crash in mjit-generated code
: TI: Crash in mjit-generated code
Status: RESOLVED FIXED
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: ---
Assigned To: general
:
Mentors:
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-04-17 13:21 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:27 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Christian Holler (:decoder) 2011-04-17 13:21:04 PDT
The following testcase crashes on TI revision ac0989a03bf1 (run with options -m
-a -n), tested on 32 bit:

test();
function test() {
  var a = [];
  a*=3;
  a.length;
}


==15780== Invalid read of size 4
==15780==    at 0x57A912F: ???
==15780==  Address 0x1c is not stack'd, malloc'd or (recently) free'd
==15780== 
==15780== 
==15780== Process terminating with default action of signal 11 (SIGSEGV)
==15780==  Access not within mapped region at address 0x1C
==15780==    at 0x57A912F: ???


Original assertion was:

Assertion failure: !fe->isType(JSVAL_TYPE_DOUBLE), at ./methodjit/FrameState-inl.h:511
Comment 1 Brian Hackett (:bhackett) 2011-04-19 06:58:47 PDT
A broken test caused us to optimize length accesses on known non-objects as if they were known objects.

http://hg.mozilla.org/projects/jaegermonkey/rev/cd01ef66dac7
Comment 2 Christian Holler (:decoder) 2013-01-14 08:27:53 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug650662.js.

Note You need to log in before you can comment on or make changes to this bug.