Closed Bug 741207 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ js::StackFrame::updateEpilogueFlags]

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 743096

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

The following testcase crashes on ionmonkey revision e96d5b1f47b8 (run with --ion -n -m --ion-eager):


var i = -1; var j = -1; var s = ''; var f = '';
evaluate("\
function f() {\
    var obj = {\
        p0:0, p1:1, p2:2, p3:3, p4:4, p5:5, p6:6, p7:7, p8:8, p9:9, \
        p10:0, p11:1, p12:2, p13:3, p14:4, p15:5, p16:6, p17:7, p18:8, p19:9, \
    };\
}\
    actual = f();\
");
Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000066bf6b in js::StackFrame::updateEpilogueFlags (this=0x7ffff69421d0) at ../vm/Stack-inl.h:420
420             script()->nesting()->activeFrames++;
(gdb) bt
#0  0x000000000066bf6b in js::StackFrame::updateEpilogueFlags (this=0x7ffff69421d0) at ../vm/Stack-inl.h:420
#1  0x000000000071f8cf in EnterIon (cx=0xa32d30, fp=0x7ffff69421d0, jitcode=0x7ffff7fb6a20) at /srv/repos/ionmonkey/js/src/ion/Ion.cpp:975
#2  0x000000000071fab0 in js::ion::Cannon (cx=0xa32d30, fp=0x7ffff69421d0, newType=false) at /srv/repos/ionmonkey/js/src/ion/Ion.cpp:1000
#3  0x00000000004f4237 in js::Interpret (cx=0xa32d30, entryFrame=0x7ffff6942148, interpMode=js::JSINTERP_NORMAL) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:2785
#4  0x00000000004e6e43 in js::RunScript (cx=0xa32d30, script=0x7ffff6707350, fp=0x7ffff6942148) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:480
#5  0x00000000004e7a3a in js::ExecuteKernel (cx=0xa32d30, script=0x7ffff6707350, scopeChain=..., thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=0x0, result=0x7ffff6942120)
    at /srv/repos/ionmonkey/js/src/jsinterp.cpp:678
#6  0x00000000004e7c48 in js::Execute (cx=0xa32d30, script=0x7ffff6707350, scopeChainArg=..., rval=0x7ffff6942120) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:720
#7  0x000000000043efd9 in EvaluateUCScriptForPrincipalsCommon (cx=0xa32d30, obj=0x7ffff6703060, principals=0x0, originPrincipals=0x0, chars=0xa41de0, length=199, filename=0x80fa28 "@evaluate", lineno=0, 
    rval=0x7ffff6942120, compileVersion=JSVERSION_ECMA_5) at /srv/repos/ionmonkey/js/src/jsapi.cpp:5277
#8  0x000000000043f098 in JS_EvaluateUCScriptForPrincipals (cx=0xa32d30, obj=0x7ffff6703060, principals=0x0, chars=0xa41de0, length=199, filename=0x80fa28 "@evaluate", lineno=0, rval=0x7ffff6942120)
    at /srv/repos/ionmonkey/js/src/jsapi.cpp:5288
#9  0x000000000043f257 in JS_EvaluateUCScript (cx=0xa32d30, obj=0x7ffff6703060, chars=0xa41de0, length=199, filename=0x80fa28 "@evaluate", lineno=0, rval=0x7ffff6942120) at /srv/repos/ionmonkey/js/src/jsapi.cpp:5322
#10 0x0000000000407c3f in Evaluate (cx=0xa32d30, argc=1, vp=0x7ffff6942120) at /srv/repos/ionmonkey/js/src/shell/js.cpp:871
#11 0x00000000004e117d in js::CallJSNative (cx=0xa32d30, native=0x407ad0 <Evaluate(JSContext*, unsigned int, jsval*)>, args=...) at ../jscntxtinlines.h:314
#12 0x00000000004e71af in js::InvokeKernel (cx=0xa32d30, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:524
#13 0x00000000004f3a97 in js::Interpret (cx=0xa32d30, entryFrame=0x7ffff69420b0, interpMode=js::JSINTERP_BAILOUT) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:2725
#14 0x00000000007e7f76 in js::ion::ThunkToInterpreter (vp=0x7fffffffd5e8) at /srv/repos/ionmonkey/js/src/ion/Bailouts.cpp:597
#15 0x00007ffff7fb6639 in ?? ()
Whiteboard: [jsbugmon:update]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 67bf9a4a1f77).
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Bisect shows:

The first good revision is:
changeset:   92558:e57e79302ed6
user:        Nicolas Pierron
date:        Mon Apr 09 18:40:37 2012 -0700
summary:     InitProp: Fix dynamic slot index. (Bug 743096, r=sstangl)

pierron, can I close this bug as dup?
(In reply to Christian Holler (:decoder) from comment #3)
> pierron, can I close this bug as dup?

Yes.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
A testcase for this bug was already added in the original bug (bug 743096).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.