Closed Bug 716895 Opened 13 years ago Closed 12 years ago

IonMonkey: Segmentation fault running deltablue.js

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: h4writer, Unassigned)

Details

Attachments

(1 file)

testcase
600 bytes, patch
dvander
: review+
Details | Diff | Splinter Review 
I narrowed the test down to the following code:

function output(c) {
  return (c.direction == 1) ? c.v2 : c.v1;
}

var constraint = { 
  v1 : {},
  v2 : {},
  direction: 1
}

for (i=0; i<100; i++){
  output(constraint)
  constraint.direction = -1
  output(constraint);
}

It looks a lot like #715111, but I'm not sure.
Therefor I'm creating a new bug for this.
If it's the same feel free to mark as duplicate.

Program received signal SIGSEGV, Segmentation fault.
0x080cbe14 in Type (data=<optimized out>, this=<optimized out>)
    at /home/h4writer/Build/ionmonkey/js/src/jsinfer.h:71
71	    Type(jsuword data) : data(data) {}
I could reduce it even more to:

function output(c, dir) {
  return (dir) ? c.v1 : c.v1;
}

var constraint = { 
  v1 : {}
}

for (i=0; i<100; i++){
  output(constraint, 0)
  output(constraint, 1);
}
Nice work reducing this, though it looks like it reproduces bug 714727 instead. deltablue is still segfaulting though and I think it is bug 715111.
Attached patch testcaseSplinter Review 
Indeed testcase succeeds now. I've created a patch for the testcase. I wasn't sure if it was needed or not.

I've also reduced the testcase again, to find why it still segfaults. Could be #715111 like you suggested, but I'm not sure. Therefor I created a new bug report #723271. That way if #715111 is fixed, we can test if it solves that test too.
Attachment #593598 - Flags: review?(dvander)
Comment on attachment 593598 [details] [diff] [review]
testcase

Review of attachment 593598 [details] [diff] [review]:
-----------------------------------------------------------------

No review needed for test cases, you can just checkin.
Attachment #593598 - Flags: review?(dvander) → review+
Keywords: checkin-needed
Whiteboard: checkin on ionmonkey branch
http://hg.mozilla.org/projects/ionmonkey/rev/41b54805815b
Status: NEW → RESOLVED
Closed: 12 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Whiteboard: checkin on ionmonkey branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: