Closed
Bug 743119
Opened 13 years ago
Closed 13 years ago
IonMonkey: Crash [@ js::Interpret] with infinite recursion
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
Attachments
(1 file)
694 bytes,
patch
|
sstangl
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on ionmonkey revision a9a18824b4c1 (run with --ion -n):
function printStatus (msg) {}
try {
evaluate("\
test();\
function test() {\
var fThis;\
function f() {\
new printStatus( fThis, 'isFinite( new String(\"Infinity\") )', false, isFinite(new f('Infinity')) );\
}\
f()();\
}\
");
} catch(exc0) {}
evaluate("test();");
Reporter | ||
Comment 1•13 years ago
|
||
Crash stack:
Program received signal SIGSEGV, Segmentation fault.
0x0813efd1 in js::Interpret (cx=0x870de10, entryFrame=0xf7b10090, interpMode=js::JSINTERP_BAILOUT) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:1297
1297 {
(gdb) bt 8
#0 0x0813efd1 in js::Interpret (cx=0x870de10, entryFrame=0xf7b10090, interpMode=js::JSINTERP_BAILOUT) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:1297
#1 0x0846ea85 in js::ion::ThunkToInterpreter (vp=0xff3fe568) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Bailouts.cpp:476
#2 0x00414885 in ?? ()
#3 0x08390f65 in EnterIon (cx=0x870de10, fp=0xf7b10040, jitcode=0x4148d8) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:974
#4 0x083911aa in js::ion::Cannon (cx=0x870de10, fp=0xf7b10040) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:1002
#5 0x08149821 in js::Interpret (cx=0x870de10, entryFrame=0xf7b0ffa0, interpMode=js::JSINTERP_BAILOUT) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:2785
#6 0x0846ea85 in js::ion::ThunkToInterpreter (vp=0xff3fee58) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Bailouts.cpp:476
#7 0x00414885 in ?? ()
(More stack frames follow...)
Repeats always with those 5 frames.
Reporter | ||
Comment 2•13 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 030178aae6e4).
Reporter | ||
Updated•13 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 3•13 years ago
|
||
Bisection points to this revision as the fix:
The first good revision is:
changeset: 92561:c1aa75c192b8
user: Kannan Vijayan
date: Wed Apr 11 17:24:51 2012 -0400
summary: Bug 744535 - Invalidate/recompile scripts on change to ThisTypeSet
Kannan, is this likely a fix for this bug so we can close it?
Comment 4•13 years ago
|
||
Not sure about that. It seemed like Bug 744535 was a perf bug, not correctness, but I could be wrong. I would think that failing to freeze ThisTypeSet shouldn't lead to infinite loops, just a whole lot of expensive deoptimizations when guards fail.
bhackett should be able to answer this more definitively.
Comment 5•13 years ago
|
||
I think there is a JS_CHECK_RECURSION needed somewhere in that call stack, probably in ion::Cannon to avoid blowing the C stack. The test itself has an infinite recursion.
Assignee | ||
Comment 6•13 years ago
|
||
Although this bug no longer reproduces, I encountered this a few days ago and we definitely need a JS_CHECK_RECURSION in EnterIon.
Comment 7•13 years ago
|
||
Comment on attachment 623902 [details] [diff] [review]
fix
Review of attachment 623902 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/ion/Ion.cpp
@@ +945,5 @@
>
> static bool
> EnterIon(JSContext *cx, StackFrame *fp, void *jitcode)
> {
> + JS_CHECK_RECURSION(cx, return true);
Needs to return false.
Attachment #623902 -
Flags: review?(sstangl) → review+
Assignee | ||
Comment 8•13 years ago
|
||
Of course, I managed to leave a bug in a one-line trivial patch ;)
http://hg.mozilla.org/projects/ionmonkey/rev/29b9a3fd01e4
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•