Closed Bug 743071 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ js::types::TypeSet::baseFlags]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,reconfirm,ignore])

Crash Data

The following testcase crashes on ionmonkey revision a9a18824b4c1 (run with --ion -n -m --ion-eager):


{
  try
  {
    try
    {
    }
    catch(ex1)
    {
    }
  }
  catch(ex)
  {
  }
}
function optionsClear() {
  var optionNames = options().split(',');
  for (var i = 0; i < optionNames.length; i++)
  {
    var optionName = optionNames[i];
    if (optionName &&
        optionName != "methodjit_always")
    {
      options(optionName);
    }
  }
}
{
  optionsClear();
  {
  }
}
function test() {
  for ( gTc=0; gTc < gTestcases.length; gTc++ ) {
    try
    {
    }
    catch(e)
    {
    }
  }
}
try {
var g = newGlobal('new-compartment');
g.eval("(" + function () {
        dbg = new Debugger(debuggeeGlobal);
    } + ")();");
} catch(exc0) {}
Excuse the long test, accidentially hit the wrong file which didn't have the useless try catch blocks removed. Will reproduce anyway of course :)


Here's a backtrace for the crash:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004d7a4e in js::types::TypeSet::baseFlags (this=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.h:375
375         TypeFlags baseFlags() const { return flags & TYPE_FLAG_BASE_MASK; }
(gdb) bt 16
#0  0x00000000004d7a4e in js::types::TypeSet::baseFlags (this=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.h:375
#1  0x00000000004df7cc in js::types::TypeSet::getSingleton (this=0x0, cx=0xd05d30, freeze=false) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:1810
#2  0x00000000007851d5 in js::ion::IonBuilder::getSingleCallTarget (this=0x7fffffffa8e0, argc=1, pc=0xd0c11a "R") at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonBuilder.cpp:132
#3  0x000000000078c452 in js::ion::IonBuilder::jsop_call (this=0x7fffffffa8e0, argc=1, constructing=true) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonBuilder.cpp:2604
#4  0x0000000000786e25 in js::ion::IonBuilder::inspectOpcode (this=0x7fffffffa8e0, op=JSOP_NEW) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonBuilder.cpp:739
#5  0x0000000000786466 in js::ion::IonBuilder::traverseBytecode (this=0x7fffffffa8e0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonBuilder.cpp:516
#6  0x0000000000785873 in js::ion::IonBuilder::build (this=0x7fffffffa8e0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonBuilder.cpp:271
#7  0x000000000076dc1a in TestCompiler (builder=..., graph=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:639
#8  0x000000000076e5f4 in IonCompile (cx=0xd05d30, script=0x7ffff091d160, fp=0x7ffff0beb1d0, osrPc=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:774
#9  0x000000000076e9e3 in Compile (cx=0xd05d30, script=0x7ffff091d160, fp=0x7ffff0beb1d0, osrPc=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:858
#10 0x000000000076ec99 in js::ion::CanEnter (cx=0xd05d30, script=0x7ffff091d160, fp=0x7ffff0beb1d0, newType=false) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:926
#11 0x000000000050f3bb in js::Interpret (cx=0xd05d30, entryFrame=0x7ffff0beb150, interpMode=js::JSINTERP_NORMAL) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:2781
#12 0x0000000000501e8c in js::RunScript (cx=0xd05d30, script=0x7ffff091d230, fp=0x7ffff0beb150) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:483
#13 0x0000000000502a73 in js::ExecuteKernel (cx=0xd05d30, script=0x7ffff091d230, scopeChain=..., thisv=..., type=js::EXECUTE_INDIRECT_EVAL, evalInFrame=0x0, result=0x7ffff0beb128)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:681
#14 0x0000000000531a79 in EvalKernel (cx=0xd05d30, args=..., evalType=INDIRECT_EVAL, caller=0x0, scopeobj=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsobj.cpp:1045
#15 0x0000000000531bd4 in js::eval (cx=0xd05d30, argc=1, vp=0x7ffff0beb128) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsobj.cpp:1089
(More stack frames follow...)
Will be fixed by patch in Bug 745362.
JSBugMon: The testcase found in this bug no longer reproduces (tried revision de015aff650d).
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,reconfirm]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision bc1833f2111e).
Whiteboard: [jsbugmon:update,reconfirm] → [jsbugmon:update,reconfirm,ignore]
The original cset WFM, and given comments 2, 4, and 5, I'm going to WFM this.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.