Note: There are a few cases of duplicates in user autocompletion which are being worked on.

IonMonkey: Crash with illegal instruction (--ion-eager)

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
major
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: decoder, Assigned: dvander)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Other Branch
x86_64
Linux
crash, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following testcase crashes on ionmonkey revision c34398f961e7 (run with --ion -n -m --ion-eager), tested on 64 bit:


function f() {
    var x = ("1234");
    var y = 0;
    return x % y;
}
assertEq(f(), NaN);
(Reporter)

Comment 1

6 years ago
Fyi, I have a lot more crashes that involve --ion-eager but they all change crash signatures or asserts during minimization, so they are likely also memory corruptions. I'll be holding those back until this is fixed :)
(Assignee)

Comment 2

6 years ago
Created attachment 595160 [details] [diff] [review]
fix

Simple bug - we had talked through that LOsiPoints would always be patchable without any padding, which looks true for the middle of the buffer, but not necessarily if the call is at the very end.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #595160 - Flags: review?(christopher.leary)
Attachment #595160 - Flags: review?(christopher.leary) → review+
(Assignee)

Comment 3

6 years ago
http://hg.mozilla.org/projects/ionmonkey/rev/902e1b6364c4
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.