IonMonkey: Crash [@ js::HeapPtr<js::Shape, unsigned int>::operator js::Shape*] or [@ js::CloseIterator] or [@ js::ion::HandleException]

RESOLVED DUPLICATE of bug 732852

Status

()

--
critical
RESOLVED DUPLICATE of bug 732852
7 years ago
6 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
x86
Linux
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
Created attachment 608591 [details]
Stack

var a = []
Object.defineProperty(a, 0, {
  get: (function() {
    for (var v in i) {}
    a[0]
  })
})
var i = Iterator({}, true)
a[0]

crashes js debug shell on IonMonkey changeset 61129d29a377 with -m, -a, --ion and -n at js::HeapPtr<js::Shape, unsigned int>::operator js::Shape*

During the course of reduction, an opt crash at js::CloseIterator with js::ion::HandleException on the stack was also seen.
(Reporter)

Comment 1

7 years ago
Thanks go out to Jesse and Nicolas for helping to reduce this testcase.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 732852
IonMonkey's iterator handling is broken if an exception is thrown inside an iterator which is what happens here (this function is infinitely recursive so it will hit the stack check guard).
(Reporter)

Updated

7 years ago
Attachment #608591 - Attachment description: System Diagnostic Report pointing to Firefox → Stack
A testcase for this bug was already added in the original bug (bug 732852).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.