Closed Bug 729892 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ js::ion::IonCode::raw]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

fix
3.14 KB, patch
sstangl
: review+
Details | Diff | Splinter Review 
The following testcase crashes on ionmonkey revision 5a04fd69aa09 (run with --ion -n), tested on 64 bit:


var lfcode = new Array();
lfcode.push("\
gcparam(\"maxBytes\", gcparam(\"gcBytes\") + 4*1024);\
arr *=  [1e0, 5e1, 9e19, 0.1e20, 1.3e20, 1e20, 9e20, 9.99e20, \
    0.1e21, 1e21, 1e21+65537, 1e21+65536, 1e21-65536, 1]; \
");
lfcode.push("var array = new Array((false  ));\
for (var j = 0; j < 9; ++(array.__defineGetter__)) { '' + array.length; }\
");
while (true) {
	var file = lfcode.shift(); if (file == undefined) { break; }
                loadFile(file);
}
function loadFile(lfVarx) {
	try {
			evaluate(lfVarx);
	} catch (lfVare) {
	}
}
Backtrace:


Program received signal SIGSEGV, Segmentation fault.
0x00000000007615b8 in js::ion::IonCode::raw (this=0x0) at ../ion/IonCode.h:104
104             return code_;
Missing separate debuginfos, use: debuginfo-install libgcc-4.4.6-3.el6.x86_64 libstdc++-4.4.6-3.el6.x86_64
(gdb) bt
#0  0x00000000007615b8 in js::ion::IonCode::raw (this=0x0) at ../ion/IonCode.h:104
#1  0x00000000007f1732 in js::ion::IonCompartment::generateInvalidator (this=0xccecc0, cx=0xcc6db0)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/x64/Trampoline-x64.cpp:324
#2  0x00000000007e59ae in js::ion::IonCompartment::getOrCreateInvalidationThunk (this=0xccecc0, cx=0xcc6db0) at ../ion/IonCompartment.h:147
#3  0x00000000007e2540 in js::ion::CodeGeneratorX86Shared::generateInvalidateEpilogue (this=0x7fffffff9b10)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/shared/CodeGenerator-x86-shared.cpp:982
#4  0x0000000000847ea4 in js::ion::CodeGenerator::generate (this=0x7fffffff9b10) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/CodeGenerator.cpp:1555
#5  0x000000000075f503 in TestCompiler (builder=..., graph=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:725
#6  0x000000000075f7a0 in IonCompile (cx=0xcc6db0, script=0x7ffff09074c0, fp=0x7ffff0beb150, osrPc=0xcd0b3c  <incomplete sequence \344\232>)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:759
#7  0x000000000075fe9f in js::ion::Compile (cx=0xcc6db0, script=0x7ffff09074c0, fp=0x7ffff0beb150, osrPc=0xcd0b3c  <incomplete sequence \344\232>)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:894
#8  0x000000000075fcd7 in js::ion::CanEnterAtBranch (cx=0xcc6db0, script=0x7ffff09074c0, fp=0x7ffff0beb150, pc=0xcd0b3c  <incomplete sequence \344\232>)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:855
#9  0x0000000000505069 in js::Interpret (cx=0xcc6db0, entryFrame=0x7ffff0beb150, interpMode=js::JSINTERP_NORMAL)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:1767
Attached patch fixSplinter Review 
Add OOM checks.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #600558 - Flags: review?(sstangl)
Attachment #600558 - Flags: review?(sstangl) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/f26dcc0d6ca0
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: