Closed Bug 729798 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash on Heap near [@ js::ion::MBasicBlock::numEntrySlots]

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

The following testcase crashes on ionmonkey revision 5a04fd69aa09 (run with --ion -n -m --ion-eager), tested on 64 bit:


function q2(n) {
  var c = [];
  var e = /foo$/.test(c) && c.match(/(.*)foo$/);
}
for (var x = 500; x < 5000; x += 500)
var y2 = q2(x);
Stack:

#0  0x0000000000cd5fd0 in ?? ()
#1  0x0000000000787891 in js::ion::MBasicBlock::numEntrySlots (this=0xccf390) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/MIRGraph.h:376
#2  0x000000000083f76d in js::ion::C1Spewer::spewPass (this=0xc97d50, fp=0xccca80, block=0xccf390) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/C1Spewer.cpp:213
#3  0x000000000083ecf5 in js::ion::C1Spewer::spewPass (this=0xc97d50, pass=0x8e817b "Split Critical Edges")
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/C1Spewer.cpp:89
#4  0x0000000000794408 in js::ion::IonSpewer::spewPass (this=0xc97d40, pass=0x8e817b "Split Critical Edges")
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonSpewer.cpp:141
#5  0x000000000079422f in js::ion::IonSpewPass (pass=0x8e817b "Split Critical Edges") at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonSpewer.cpp:82
#6  0x000000000075f0cf in TestCompiler (builder=..., graph=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:650
#7  0x000000000075f7a0 in IonCompile (cx=0xcc6db0, script=0x7ffff09072e0, fp=0x7ffff0beb0b0, osrPc=0xcccf12  <incomplete sequence \344\232>)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:759
#8  0x000000000075fe9f in js::ion::Compile (cx=0xcc6db0, script=0x7ffff09072e0, fp=0x7ffff0beb0b0, osrPc=0xcccf12  <incomplete sequence \344\232>)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:894
#9  0x000000000075fcd7 in js::ion::CanEnterAtBranch (cx=0xcc6db0, script=0x7ffff09072e0, fp=0x7ffff0beb0b0, pc=0xcccf12  <incomplete sequence \344\232>)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:855
#10 0x0000000000505069 in js::Interpret (cx=0xcc6db0, entryFrame=0x7ffff0beb0b0, interpMode=js::JSINTERP_BAILOUT)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:1767
#11 0x000000000083cb9a in js::ion::ThunkToInterpreter (vp=0x7fffffffd2e8) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Bailouts.cpp:514
Attached patch fixSplinter Review
Subtle, SplitCriticalEdges was using the wrong CompileInfo so basic blocks could start off with too few slots in its vector, which would then get overrun. Using FixedList<> would have caught this but I think FixedList was introduced later.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #600601 - Flags: review?(jdemooij)
Also in that patch, I reverted a broken change from bug 728188 - GetPropertyCache has to know its inlined script, not the script where you find script->ion. Once we improve the performance of GetPcScript() then we can remove this again.
Comment on attachment 600601 [details] [diff] [review]
fix

Review of attachment 600601 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/FixedArityList.h
@@ +98,5 @@
>          length_ = length;
>          if (length == 0)
>              return true;
>  
> +        list_ = (T *)GetIonContext()->temp->allocate(length * sizeof(T));

Good catch.
Attachment #600601 - Flags: review?(jdemooij) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/fc930c2090bd
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug729798.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.