Closed
Bug 732850
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ js::ion::IonFrameIterator::checkInvalidation]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 734022
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
The following testcase crashes on ionmonkey revision 1fd6c40d3852 (run with --ion -n -m --ion-eager): var gTestcases = new Array(); var gTc = gTestcases.length; function TestCase(n, d, e, a) { this.passed = getTestCaseResult(e, a); gTestcases[gTc++] = this; } function getTestCaseResult(expected, actual) { if (typeof expected != 'number') return actual == expected; return Math.abs(actual - expected) <= 1E-10; } function test() { for ( gTc=0; gTc < gTestcases.length; gTc++ ) { gTestcases[gTc].passed = writeTestCaseResult(gTestcases[gTc].description +" = "+ gTestcases[gTc].actual); } function writeTestCaseResult( expect, actual, string ) { var passed = getTestCaseResult( expect, actual ); } } var SECTION = "15.4.2.1-1"; new TestCase( SECTION, eval("var arr = (new Array(1,2)); arr[0]") ); new TestCase( SECTION, "var arr = (new Array(1,2)); String(arr)", "1,2", (this.abstract++)); test(); new TestCase( SECTION, "VAR1 = NaN; VAR2=1; VAR1 -= VAR2", Number.NaN, eval("VAR1 = Number.NaN; VAR2=1; VAR1 -= VAR2"));
Reporter | ||
Comment 1•12 years ago
|
||
Crash Trace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000796eff in js::ion::IonFrameIterator::checkInvalidation (this=0x7fffffffc080, ionScriptOut=0x7fffffffc038) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonFrames.cpp:187 187 int32 invalidationDataOffset = ((int32 *) returnAddr)[-1]; (gdb) bt #0 0x0000000000796eff in js::ion::IonFrameIterator::checkInvalidation (this=0x7fffffffc080, ionScriptOut=0x7fffffffc038) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonFrames.cpp:187 #1 0x0000000000796e73 in js::ion::IonFrameIterator::checkInvalidation (this=0x7fffffffc080) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonFrames.cpp:172 #2 0x0000000000761d19 in InvalidateActivation (cx=0xcd5d00, ionTop=0x7fffffffc478 "\001\001", invalidateAll=false) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:1032 #3 0x000000000076210e in js::ion::Invalidate (cx=0xcd5d00, invalid=..., resetUses=true) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:1116 #4 0x00000000004de9e3 in js::types::TypeCompartment::processPendingRecompiles (this=0xcd67d8, cx=0xcd5d00) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:2148 #5 0x000000000046135d in js::types::AutoEnterTypeInference::~AutoEnterTypeInference (this=0x7fffffffc250, __in_chrg=<value optimized out>) at ../jsinferinlines.h:235 #6 0x00000000004e8382 in js::types::TypeMonitorResult (cx=0xcd5d00, script=0x7ffff09072e0, pc=0xce2a97 "\232", rval=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:5170 #7 0x000000000051a100 in js::types::TypeScript::Monitor (cx=0xcd5d00, script=0x7ffff09072e0, pc=0xce2a97 "\232", rval=...) at ../jsinferinlines.h:575 #8 0x00000000008433b3 in js::ion::InvalidationBailout (sp=0x7fffffffc388, frameSizeOut=0x7fffffffc380) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Bailouts.cpp:461
Comment 2•12 years ago
|
||
Added the testcase: http://hg.mozilla.org/projects/ionmonkey/rev/ea48d5e141e7
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 3•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug732850.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•