Closed Bug 739402 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ EnterIon] or [@ js::ion::Cannon] or [@ CheckStackQuota] or [@ js::mjit::stubs::HitStackQuota]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

stack
5.58 KB, text/plain
Details
vastly reduced version of the earlier testcase
3.06 KB, text/plain
Details
Attached file stack 
The upcoming attached testcase crashes 32-bit js opt shell (compiled with --enable-more-deterministic) on IonMonkey changeset be41973873db with -m, -a, --ion and -n at EnterIon and js::ion::Cannon or CheckStackQuota and js::mjit::stubs::HitStackQuota
This does not seem to reproduce with debug shells.
Depends on: 735030
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7fd3ee0 in ?? ()
#0  0x00007ffff7fd3ee0 in ?? ()
#1  0xfffafffff638e9e0 in ?? ()
#2  0x00007fffffffd568 in ?? ()
#3  0xfff880000000000a in ?? ()
#4  0xfff9000000000000 in ?? ()
#5  0x00007ffff7fecb52 in ?? ()
#6  0x0000000000000180 in ?? ()
#7  0x00007ffff6310b40 in ?? ()
#8  0x0000000000000001 in ?? ()
#9  0x00007fffffffd598 in ?? ()
#10 0xfff9000000000000 in ?? ()
#11 0xfffafffff638e9e0 in ?? ()
#12 0x00007ffff638e9e0 in ?? ()
#13 0x00007ffff7fe890c in ?? ()
#14 0x0000000000000081 in ?? ()
#15 0x00007ffff6310a80 in ?? ()
#16 0xfff9000000000000 in ?? ()
#17 0x00007fffffffd670 in ?? ()
#18 0x00007fffffffd790 in ?? ()
#19 0x000000000000ffff in ?? ()
#20 0x00007ffff7feca18 in ?? ()
#21 0x00007ffff65250b8 in ?? ()
#22 0x0000000000a55a90 in ?? ()
#23 0x00007fffffffd6b0 in ?? ()
#24 0x0000000000688cd0 in EnterIon (cx=0x1, fp=0x0, jitcode=0x7ffff65250b0) at /home/fuzz2lin/Desktop/jsfunfuzz-dbg-64-im-91657-55ab6c6d276a/compilePath/js/src/ion/Ion.cpp:964
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

Tested with 64-bit js opt shell on IonMonkey changeset 55ab6c6d276a with --ion and -n in Ubuntu Linux 11.10.
Version: Trunk → Other Branch
WFM as of IonMonkey changeset 72596946ff96.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: