Closed Bug 729368 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ js::gc::PushMarkStack] or [@ EnterIon] or [@ js::ion::Cannon] or [@ js::types::TypeMonitorCallSlow]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

The following testcase crashes on ionmonkey revision ca97bbcd6b90 (run with --ion -n -m --ion-eager), tested on 64 bit:


gczeal(4);
while (true) {}
I got this too, but with a hard-to-reduce testcase, and not requiring --ion-eager.
> I got this too, but with a hard-to-reduce testcase, and not requiring
> --ion-eager.

Tested on 32-bit debug js shell on Mac 10.7, ionmonkey changeset 5a04fd69aa09.
Severity: major → critical
OS: Linux → All
Hardware: x86_64 → All
Variants of these seem to throw stacks w/ signatures [@ EnterIon] or [@ js::ion::Cannon] in 64-bit js opt shells and [@ js::types::TypeMonitorCallSlow] in 32-bit js opt shells.
Crash Signature: [@ js::gc::PushMarkStack] → [@ js::gc::PushMarkStack] [@ EnterIon] [@ js::ion::Cannon] [@ js::types::TypeMonitorCallSlow]
Summary: IonMonkey: Crash [@ js::gc::PushMarkStack] → IonMonkey: Crash [@ js::gc::PushMarkStack] or [@ EnterIon] or [@ js::ion::Cannon] or [@ js::types::TypeMonitorCallSlow]
Retested that this fails with -m, -n and --ion on IonMonkey changeset 7008b902d362, 64-bit debug js shell on Mac 10.7.

Does not crash with -m and -n on m-c changeset 13b571bde26a, 64-bit debug js shell on Mac 10.7.
I don't think I see this anymore with IonMonkey changeset c027cce870d2.
Confirmed WFM.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.