Closed
Bug 729798
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash on Heap near [@ js::ion::MBasicBlock::numEntrySlots]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(1 file)
9.94 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on ionmonkey revision 5a04fd69aa09 (run with --ion -n -m --ion-eager), tested on 64 bit: function q2(n) { var c = []; var e = /foo$/.test(c) && c.match(/(.*)foo$/); } for (var x = 500; x < 5000; x += 500) var y2 = q2(x);
Reporter | ||
Comment 1•12 years ago
|
||
Stack: #0 0x0000000000cd5fd0 in ?? () #1 0x0000000000787891 in js::ion::MBasicBlock::numEntrySlots (this=0xccf390) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/MIRGraph.h:376 #2 0x000000000083f76d in js::ion::C1Spewer::spewPass (this=0xc97d50, fp=0xccca80, block=0xccf390) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/C1Spewer.cpp:213 #3 0x000000000083ecf5 in js::ion::C1Spewer::spewPass (this=0xc97d50, pass=0x8e817b "Split Critical Edges") at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/C1Spewer.cpp:89 #4 0x0000000000794408 in js::ion::IonSpewer::spewPass (this=0xc97d40, pass=0x8e817b "Split Critical Edges") at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonSpewer.cpp:141 #5 0x000000000079422f in js::ion::IonSpewPass (pass=0x8e817b "Split Critical Edges") at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonSpewer.cpp:82 #6 0x000000000075f0cf in TestCompiler (builder=..., graph=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:650 #7 0x000000000075f7a0 in IonCompile (cx=0xcc6db0, script=0x7ffff09072e0, fp=0x7ffff0beb0b0, osrPc=0xcccf12 <incomplete sequence \344\232>) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:759 #8 0x000000000075fe9f in js::ion::Compile (cx=0xcc6db0, script=0x7ffff09072e0, fp=0x7ffff0beb0b0, osrPc=0xcccf12 <incomplete sequence \344\232>) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:894 #9 0x000000000075fcd7 in js::ion::CanEnterAtBranch (cx=0xcc6db0, script=0x7ffff09072e0, fp=0x7ffff0beb0b0, pc=0xcccf12 <incomplete sequence \344\232>) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:855 #10 0x0000000000505069 in js::Interpret (cx=0xcc6db0, entryFrame=0x7ffff0beb0b0, interpMode=js::JSINTERP_BAILOUT) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:1767 #11 0x000000000083cb9a in js::ion::ThunkToInterpreter (vp=0x7fffffffd2e8) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Bailouts.cpp:514
Assignee | ||
Comment 2•12 years ago
|
||
Subtle, SplitCriticalEdges was using the wrong CompileInfo so basic blocks could start off with too few slots in its vector, which would then get overrun. Using FixedList<> would have caught this but I think FixedList was introduced later.
Assignee | ||
Comment 3•12 years ago
|
||
Also in that patch, I reverted a broken change from bug 728188 - GetPropertyCache has to know its inlined script, not the script where you find script->ion. Once we improve the performance of GetPcScript() then we can remove this again.
Comment 4•12 years ago
|
||
Comment on attachment 600601 [details] [diff] [review] fix Review of attachment 600601 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/FixedArityList.h @@ +98,5 @@ > length_ = length; > if (length == 0) > return true; > > + list_ = (T *)GetIonContext()->temp->allocate(length * sizeof(T)); Good catch.
Attachment #600601 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 5•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/fc930c2090bd
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 6•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug729798.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•