Closed Bug 741200 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ JSAutoByteString::ptr]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

The following testcase crashes on ionmonkey revision e96d5b1f47b8 (run with --ion -n -m --ion-eager):


evaluate("\
function test1() {}\
function test() { test1.call(this); }\
test.prototype += new test1();\
");
Backtrace: 

Program received signal SIGSEGV, Segmentation fault.
0x0000000000403dbc in JSAutoByteString::ptr (this=0x0) at ../dist/include/js/Vector.h:293
293             return mBegin;
(gdb) bt
#0  0x0000000000403dbc in JSAutoByteString::ptr (this=0x0) at ../dist/include/js/Vector.h:293
#1  0x00000000004045b4 in js::types::Property::getKey (p=0x0) at ../../jsscope.h:704
#2  0x000000000071fa85 in js::ion::Cannon (cx=0xa32d30, fp=0x7ffff69421d8, newType=false) at /srv/repos/ionmonkey/js/src/ion/Ion.cpp:997
#3  0x00000000004f4237 in js::Interpret (cx=0xa32d30, entryFrame=0x7ffff6942148, interpMode=js::JSINTERP_NORMAL) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:2785
#4  0x00000000004e6e43 in js::RunScript (cx=0xa32d30, script=0x7ffff6707438, fp=0x7ffff6942148) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:480
#5  0x00000000004e7a3a in js::ExecuteKernel (cx=0xa32d30, script=0x7ffff6707438, scopeChain=..., thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=0x0, result=0x7ffff6942120)
    at /srv/repos/ionmonkey/js/src/jsinterp.cpp:678
#6  0x00000000004e7c48 in js::Execute (cx=0xa32d30, script=0x7ffff6707438, scopeChainArg=..., rval=0x7ffff6942120) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:720
#7  0x000000000043efd9 in EvaluateUCScriptForPrincipalsCommon (cx=0xa32d30, obj=0x7ffff6703060, principals=0x0, originPrincipals=0x0, chars=0xa41240, length=86, filename=0x80fa28 "@evaluate", lineno=0, 
    rval=0x7ffff6942120, compileVersion=JSVERSION_ECMA_5) at /srv/repos/ionmonkey/js/src/jsapi.cpp:5277
#8  0x000000000043f098 in JS_EvaluateUCScriptForPrincipals (cx=0xa32d30, obj=0x7ffff6703060, principals=0x0, chars=0xa41240, length=86, filename=0x80fa28 "@evaluate", lineno=0, rval=0x7ffff6942120)
    at /srv/repos/ionmonkey/js/src/jsapi.cpp:5288
#9  0x000000000043f257 in JS_EvaluateUCScript (cx=0xa32d30, obj=0x7ffff6703060, chars=0xa41240, length=86, filename=0x80fa28 "@evaluate", lineno=0, rval=0x7ffff6942120) at /srv/repos/ionmonkey/js/src/jsapi.cpp:5322
#10 0x0000000000407c3f in Evaluate (cx=0xa32d30, argc=1, vp=0x7ffff6942120) at /srv/repos/ionmonkey/js/src/shell/js.cpp:871
#11 0x00000000004e117d in js::CallJSNative (cx=0xa32d30, native=0x407ad0 <Evaluate(JSContext*, unsigned int, jsval*)>, args=...) at ../jscntxtinlines.h:314
#12 0x00000000004e71af in js::InvokeKernel (cx=0xa32d30, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:524
#13 0x00000000004f3a97 in js::Interpret (cx=0xa32d30, entryFrame=0x7ffff69420b0, interpMode=js::JSINTERP_BAILOUT) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:2725
#14 0x00000000007e7f76 in js::ion::ThunkToInterpreter (vp=0x7fffffffd5e8) at /srv/repos/ionmonkey/js/src/ion/Bailouts.cpp:597
#15 0x00007ffff7fb6639 in ?? ()
Cannot reproduce this anymore on tip and the fuzzer is not hitting this anymore (where it was hitting it before very often). Assuming this is fixed and closing WFM.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.