Closed Bug 724788 Opened 14 years ago Closed 14 years ago

IonMonkey: Crash [@ js::FindPropertyHelper] or "Assertion failure: shape_,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: dvander)

References

Details

(Keywords: assertion, crash, testcase)

Crash Data

Attachments

(2 files, 1 obsolete file)

stack
11.55 KB, text/plain
Details
this time with more qref
2.19 KB, patch
jandem
: review+
Details | Diff | Splinter Review
Attached file stack
o0 = TypeError.prototype.__proto__ o1 = Proxy.create({}) o13 = {}.__proto__ var o15 = Object.prototype o31 = (new Uint32Array(100)).buffer function f2(o) { try { ({ x: [eval("o")][0] }.x.__defineGetter__("toString", function() { return o26; })); } catch (e) {} } function f3(o) { try { +o31 } catch (e) {} } function f19(o) { for (var x in eval("o")) { eval("o")[x]; } } f2(o15) f3(o0) f19(o13) asserts js debug shell on IonMonkey changeset f46cfb199e77 with -m, --ion, --ion-eager and -n at Assertion failure: shape_, and crashes js opt shell at js::FindPropertyHelper
The bug here is that the initial snapshot captures the result of MFunctionEnvironment, but if we bail out in the type check prologue, this instruction hasn't been run yet.
(In reply to David Anderson [:dvander] from comment #1) > The bug here is that the initial snapshot captures the result of > MFunctionEnvironment, but if we bail out in the type check prologue, this > instruction hasn't been run yet. I just reduced Kraken crypto-ccm again and I'm pretty sure it's crashing due to this bug.
Attached patch fix (obsolete) — Splinter Review
Unfortunately we still crash elsewhere in Kraken, but this appears to fix this bug and crypto-ccm. This is extremely gross though so I'm going to file a follow-up bug on a new opcode.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #598469 - Flags: review?(jdemooij)
Attachment #598469 - Attachment is obsolete: true
Attachment #598469 - Flags: review?(jdemooij)
Attachment #598471 - Flags: review?(jdemooij)
Comment on attachment 598471 [details] [diff] [review] this time with more qref I applied this fix to latest tip and Kraken now runs without crashing here, both x86 and x64.
Attachment #598471 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/82c6ca0616d0
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug724788.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: