Closed Bug 731820 Opened 12 years ago Closed 12 years ago

IonMonkey: segmentation fault running crypto.js

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: h4writer, Assigned: h4writer)

Details

Attachments

(2 files)

Attached file crypte.js.reduced
I get a segmentation fault on the attached testcase. (Sorry but couldn't reduce further)

This happens on "--ion -n -m" only.

Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x083867b4 in js::ion::IonCommonFrameLayout::returnAddress (this=0x1fffc5ef)
    at ../ion/shared/IonFrames-x86-shared.h:76
76	        return returnAddress_;
(gdb) bt
#0  0x083867b4 in js::ion::IonCommonFrameLayout::returnAddress (this=0x1fffc5ef)
    at ../ion/shared/IonFrames-x86-shared.h:76
#1  0x083867dd in js::ion::IonFrameIterator::returnAddress (this=0xffffc378) at ../ion/IonFrames.h:386
#2  0x08385343 in InvalidateActivation (cx=0x86dbe08, 
    ionTop=0xffffc5e8 "\330\305\377\377\377\377\377\377\300\301", <incomplete sequence \367>, 
    invalidateAll=false) at /home/h4writer/Build/ionmonkey/js/src/ion/Ion.cpp:1031
#3  0x083856fd in js::ion::Invalidate (cx=0x86dbe08, invalid=..., resetUses=true)
    at /home/h4writer/Build/ionmonkey/js/src/ion/Ion.cpp:1122
#4  0x08119f16 in js::types::TypeCompartment::processPendingRecompiles (this=0x86dc6b8, cx=0x86dbe08)
    at /home/h4writer/Build/ionmonkey/js/src/jsinfer.cpp:2148
#5  0x080a4aaf in js::types::AutoEnterTypeInference::~AutoEnterTypeInference (this=0xffffc4c0, 
    __in_chrg=<optimized out>) at ../jsinferinlines.h:235
#6  0x08123130 in js::types::TypeMonitorResult (cx=0x86dbe08, script=0xf73061c0, pc=0x86e4cd6 "5", 
    rval=...) at /home/h4writer/Build/ionmonkey/js/src/jsinfer.cpp:5160
#7  0x08152ef5 in js::types::TypeScript::Monitor (cx=0x86dbe08, script=0xf73061c0, pc=0x86e4cd6 "5", 
    rval=...) at ../jsinferinlines.h:575
#8  0x0845cefe in js::ion::InvalidationBailout (sp=0xffffc598, frameSizeOut=0xffffc594)
    at /home/h4writer/Build/ionmonkey/js/src/ion/Bailouts.cpp:451
#9  0xf753724a in ?? ()
Attached patch Adds testcaseSplinter Review
Doesn't segment faults anymore on tip. Probably fixed by bug 734022.
I created a patch to add the testcase for regression testing.
Last time dvander told me there is no need in requesting review for adding a testcase. Therefor I'm setting the review flag myself.
Attachment #604222 - Flags: review+
Keywords: checkin-needed
Whiteboard: checkin on ionmonkey branch
Assignee: general → hv1989
Hannes, thanks for the testcase.

http://hg.mozilla.org/projects/ionmonkey/rev/7d6848ae2264
Status: NEW → RESOLVED
Closed: 12 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Whiteboard: checkin on ionmonkey branch
You need to log in before you can comment on or make changes to this bug.