Closed Bug 724788 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ js::FindPropertyHelper] or "Assertion failure: shape_,"

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Assigned: dvander)

References

Details

(Keywords: assertion, crash, testcase)

Crash Data

Attachments

(2 files, 1 obsolete file)

Attached file stack
o0 = TypeError.prototype.__proto__
o1 = Proxy.create({})
o13 = {}.__proto__
var o15 = Object.prototype
o31 = (new Uint32Array(100)).buffer
function f2(o) {
  try {
    ({
      x: [eval("o")][0]
    }.x.__defineGetter__("toString", function() {
      return o26;
    }));
  } catch (e) {}
}
function f3(o) {
  try {
    +o31
  } catch (e) {}
}
function f19(o) {
  for (var x in eval("o")) {
    eval("o")[x];
  }
}
f2(o15)
f3(o0)
f19(o13)

asserts js debug shell on IonMonkey changeset f46cfb199e77 with -m, --ion, --ion-eager and -n at Assertion failure: shape_, and crashes js opt shell at js::FindPropertyHelper
The bug here is that the initial snapshot captures the result of MFunctionEnvironment, but if we bail out in the type check prologue, this instruction hasn't been run yet.
(In reply to David Anderson [:dvander] from comment #1)
> The bug here is that the initial snapshot captures the result of
> MFunctionEnvironment, but if we bail out in the type check prologue, this
> instruction hasn't been run yet.

I just reduced Kraken crypto-ccm again and I'm pretty sure it's crashing due to this bug.
Attached patch fix (obsolete) — Splinter Review
Unfortunately we still crash elsewhere in Kraken, but this appears to fix this bug and crypto-ccm. This is extremely gross though so I'm going to file a follow-up bug on a new opcode.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #598469 - Flags: review?(jdemooij)
Attachment #598469 - Attachment is obsolete: true
Attachment #598469 - Flags: review?(jdemooij)
Attachment #598471 - Flags: review?(jdemooij)
Comment on attachment 598471 [details] [diff] [review]
this time with more qref

I applied this fix to latest tip and Kraken now runs without crashing here, both x86 and x64.
Attachment #598471 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/82c6ca0616d0
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug724788.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.