Last Comment Bug 724872 - IonMonkey: Crash with illegal instruction (--ion-eager)
: IonMonkey: Crash with illegal instruction (--ion-eager)
Status: RESOLVED FIXED
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- major (vote)
: ---
Assigned To: David Anderson [:dvander]
:
Mentors:
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
 
Reported: 2012-02-07 06:59 PST by Christian Holler (:decoder)
Modified: 2012-02-09 12:08 PST (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix (1.10 KB, patch)
2012-02-07 13:42 PST, David Anderson [:dvander]
cdleary: review+
Details | Diff | Review

Description Christian Holler (:decoder) 2012-02-07 06:59:18 PST
The following testcase crashes on ionmonkey revision c34398f961e7 (run with --ion -n -m --ion-eager), tested on 64 bit:


function f() {
    var x = ("1234");
    var y = 0;
    return x % y;
}
assertEq(f(), NaN);
Comment 1 Christian Holler (:decoder) 2012-02-07 07:13:13 PST
Fyi, I have a lot more crashes that involve --ion-eager but they all change crash signatures or asserts during minimization, so they are likely also memory corruptions. I'll be holding those back until this is fixed :)
Comment 2 David Anderson [:dvander] 2012-02-07 13:42:20 PST
Created attachment 595160 [details] [diff] [review]
fix

Simple bug - we had talked through that LOsiPoints would always be patchable without any padding, which looks true for the middle of the buffer, but not necessarily if the call is at the very end.
Comment 3 David Anderson [:dvander] 2012-02-09 12:08:44 PST
http://hg.mozilla.org/projects/ionmonkey/rev/902e1b6364c4

Note You need to log in before you can comment on or make changes to this bug.