Closed Bug 732850 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ js::ion::IonFrameIterator::checkInvalidation]

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 734022

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

The following testcase crashes on ionmonkey revision 1fd6c40d3852 (run with --ion -n -m --ion-eager):


var gTestcases = new Array();
var gTc = gTestcases.length;
function TestCase(n, d, e, a) {
  this.passed = getTestCaseResult(e, a);
  gTestcases[gTc++] = this;
}
function getTestCaseResult(expected, actual) {
  if (typeof expected != 'number')
    return actual == expected;
    return Math.abs(actual - expected) <= 1E-10;
}
function test() {
  for ( gTc=0; gTc < gTestcases.length; gTc++ ) {
      gTestcases[gTc].passed = writeTestCaseResult(gTestcases[gTc].description +" = "+ gTestcases[gTc].actual);
  }
  function writeTestCaseResult( expect, actual, string ) {
    var passed = getTestCaseResult( expect, actual );
  }
}
var SECTION = "15.4.2.1-1";
new TestCase( SECTION, eval("var arr = (new Array(1,2)); arr[0]") );
new TestCase( SECTION, "var arr = (new Array(1,2)); String(arr)", "1,2", (this.abstract++));
test();
new TestCase( SECTION, "VAR1 = NaN; VAR2=1; VAR1 -= VAR2", Number.NaN, eval("VAR1 = Number.NaN; VAR2=1; VAR1 -= VAR2"));
Crash Trace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000796eff in js::ion::IonFrameIterator::checkInvalidation (this=0x7fffffffc080, ionScriptOut=0x7fffffffc038)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonFrames.cpp:187
187         int32 invalidationDataOffset = ((int32 *) returnAddr)[-1];
(gdb) bt
#0  0x0000000000796eff in js::ion::IonFrameIterator::checkInvalidation (this=0x7fffffffc080, ionScriptOut=0x7fffffffc038)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonFrames.cpp:187
#1  0x0000000000796e73 in js::ion::IonFrameIterator::checkInvalidation (this=0x7fffffffc080) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonFrames.cpp:172
#2  0x0000000000761d19 in InvalidateActivation (cx=0xcd5d00, ionTop=0x7fffffffc478 "\001\001", invalidateAll=false)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:1032
#3  0x000000000076210e in js::ion::Invalidate (cx=0xcd5d00, invalid=..., resetUses=true) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:1116
#4  0x00000000004de9e3 in js::types::TypeCompartment::processPendingRecompiles (this=0xcd67d8, cx=0xcd5d00) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:2148
#5  0x000000000046135d in js::types::AutoEnterTypeInference::~AutoEnterTypeInference (this=0x7fffffffc250, __in_chrg=<value optimized out>) at ../jsinferinlines.h:235
#6  0x00000000004e8382 in js::types::TypeMonitorResult (cx=0xcd5d00, script=0x7ffff09072e0, pc=0xce2a97 "\232", rval=...)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:5170
#7  0x000000000051a100 in js::types::TypeScript::Monitor (cx=0xcd5d00, script=0x7ffff09072e0, pc=0xce2a97 "\232", rval=...) at ../jsinferinlines.h:575
#8  0x00000000008433b3 in js::ion::InvalidationBailout (sp=0x7fffffffc388, frameSizeOut=0x7fffffffc380) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Bailouts.cpp:461
Added the testcase: http://hg.mozilla.org/projects/ionmonkey/rev/ea48d5e141e7
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug732850.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.