Closed Bug 729892 Opened 13 years ago Closed 13 years ago

IonMonkey: Crash [@ js::ion::IonCode::raw]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

fix
3.14 KB, patch
sstangl
: review+
Details | Diff | Splinter Review
The following testcase crashes on ionmonkey revision 5a04fd69aa09 (run with --ion -n), tested on 64 bit: var lfcode = new Array(); lfcode.push("\ gcparam(\"maxBytes\", gcparam(\"gcBytes\") + 4*1024);\ arr *= [1e0, 5e1, 9e19, 0.1e20, 1.3e20, 1e20, 9e20, 9.99e20, \ 0.1e21, 1e21, 1e21+65537, 1e21+65536, 1e21-65536, 1]; \ "); lfcode.push("var array = new Array((false ));\ for (var j = 0; j < 9; ++(array.__defineGetter__)) { '' + array.length; }\ "); while (true) { var file = lfcode.shift(); if (file == undefined) { break; } loadFile(file); } function loadFile(lfVarx) { try { evaluate(lfVarx); } catch (lfVare) { } }
Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000007615b8 in js::ion::IonCode::raw (this=0x0) at ../ion/IonCode.h:104 104 return code_; Missing separate debuginfos, use: debuginfo-install libgcc-4.4.6-3.el6.x86_64 libstdc++-4.4.6-3.el6.x86_64 (gdb) bt #0 0x00000000007615b8 in js::ion::IonCode::raw (this=0x0) at ../ion/IonCode.h:104 #1 0x00000000007f1732 in js::ion::IonCompartment::generateInvalidator (this=0xccecc0, cx=0xcc6db0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/x64/Trampoline-x64.cpp:324 #2 0x00000000007e59ae in js::ion::IonCompartment::getOrCreateInvalidationThunk (this=0xccecc0, cx=0xcc6db0) at ../ion/IonCompartment.h:147 #3 0x00000000007e2540 in js::ion::CodeGeneratorX86Shared::generateInvalidateEpilogue (this=0x7fffffff9b10) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/shared/CodeGenerator-x86-shared.cpp:982 #4 0x0000000000847ea4 in js::ion::CodeGenerator::generate (this=0x7fffffff9b10) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/CodeGenerator.cpp:1555 #5 0x000000000075f503 in TestCompiler (builder=..., graph=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:725 #6 0x000000000075f7a0 in IonCompile (cx=0xcc6db0, script=0x7ffff09074c0, fp=0x7ffff0beb150, osrPc=0xcd0b3c <incomplete sequence \344\232>) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:759 #7 0x000000000075fe9f in js::ion::Compile (cx=0xcc6db0, script=0x7ffff09074c0, fp=0x7ffff0beb150, osrPc=0xcd0b3c <incomplete sequence \344\232>) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:894 #8 0x000000000075fcd7 in js::ion::CanEnterAtBranch (cx=0xcc6db0, script=0x7ffff09074c0, fp=0x7ffff0beb150, pc=0xcd0b3c <incomplete sequence \344\232>) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:855 #9 0x0000000000505069 in js::Interpret (cx=0xcc6db0, entryFrame=0x7ffff0beb150, interpMode=js::JSINTERP_NORMAL) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:1767
Attached patch fixSplinter Review
Add OOM checks.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #600558 - Flags: review?(sstangl)
Attachment #600558 - Flags: review?(sstangl) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/f26dcc0d6ca0
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: