Closed
Bug 724788
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ js::FindPropertyHelper] or "Assertion failure: shape_,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: dvander)
References
Details
(Keywords: assertion, crash, testcase)
Crash Data
Attachments
(2 files, 1 obsolete file)
11.55 KB,
text/plain
|
Details | |
2.19 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
o0 = TypeError.prototype.__proto__ o1 = Proxy.create({}) o13 = {}.__proto__ var o15 = Object.prototype o31 = (new Uint32Array(100)).buffer function f2(o) { try { ({ x: [eval("o")][0] }.x.__defineGetter__("toString", function() { return o26; })); } catch (e) {} } function f3(o) { try { +o31 } catch (e) {} } function f19(o) { for (var x in eval("o")) { eval("o")[x]; } } f2(o15) f3(o0) f19(o13) asserts js debug shell on IonMonkey changeset f46cfb199e77 with -m, --ion, --ion-eager and -n at Assertion failure: shape_, and crashes js opt shell at js::FindPropertyHelper
Assignee | ||
Comment 1•12 years ago
|
||
The bug here is that the initial snapshot captures the result of MFunctionEnvironment, but if we bail out in the type check prologue, this instruction hasn't been run yet.
Comment 2•12 years ago
|
||
(In reply to David Anderson [:dvander] from comment #1) > The bug here is that the initial snapshot captures the result of > MFunctionEnvironment, but if we bail out in the type check prologue, this > instruction hasn't been run yet. I just reduced Kraken crypto-ccm again and I'm pretty sure it's crashing due to this bug.
Assignee | ||
Comment 3•12 years ago
|
||
Unfortunately we still crash elsewhere in Kraken, but this appears to fix this bug and crypto-ccm. This is extremely gross though so I'm going to file a follow-up bug on a new opcode.
Assignee | ||
Comment 4•12 years ago
|
||
Attachment #598469 -
Attachment is obsolete: true
Attachment #598469 -
Flags: review?(jdemooij)
Attachment #598471 -
Flags: review?(jdemooij)
Comment 5•12 years ago
|
||
Comment on attachment 598471 [details] [diff] [review] this time with more qref I applied this fix to latest tip and Kraken now runs without crashing here, both x86 and x64.
Attachment #598471 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 6•12 years ago
|
||
https://hg.mozilla.org/projects/ionmonkey/rev/82c6ca0616d0
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 8•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug724788.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•