Closed
Bug 743119
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ js::Interpret] with infinite recursion
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
Attachments
(1 file)
694 bytes,
patch
|
sstangl
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on ionmonkey revision a9a18824b4c1 (run with --ion -n): function printStatus (msg) {} try { evaluate("\ test();\ function test() {\ var fThis;\ function f() {\ new printStatus( fThis, 'isFinite( new String(\"Infinity\") )', false, isFinite(new f('Infinity')) );\ }\ f()();\ }\ "); } catch(exc0) {} evaluate("test();");
Reporter | ||
Comment 1•12 years ago
|
||
Crash stack: Program received signal SIGSEGV, Segmentation fault. 0x0813efd1 in js::Interpret (cx=0x870de10, entryFrame=0xf7b10090, interpMode=js::JSINTERP_BAILOUT) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:1297 1297 { (gdb) bt 8 #0 0x0813efd1 in js::Interpret (cx=0x870de10, entryFrame=0xf7b10090, interpMode=js::JSINTERP_BAILOUT) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:1297 #1 0x0846ea85 in js::ion::ThunkToInterpreter (vp=0xff3fe568) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Bailouts.cpp:476 #2 0x00414885 in ?? () #3 0x08390f65 in EnterIon (cx=0x870de10, fp=0xf7b10040, jitcode=0x4148d8) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:974 #4 0x083911aa in js::ion::Cannon (cx=0x870de10, fp=0xf7b10040) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:1002 #5 0x08149821 in js::Interpret (cx=0x870de10, entryFrame=0xf7b0ffa0, interpMode=js::JSINTERP_BAILOUT) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:2785 #6 0x0846ea85 in js::ion::ThunkToInterpreter (vp=0xff3fee58) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Bailouts.cpp:476 #7 0x00414885 in ?? () (More stack frames follow...) Repeats always with those 5 frames.
Reporter | ||
Comment 2•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 030178aae6e4).
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 3•12 years ago
|
||
Bisection points to this revision as the fix: The first good revision is: changeset: 92561:c1aa75c192b8 user: Kannan Vijayan date: Wed Apr 11 17:24:51 2012 -0400 summary: Bug 744535 - Invalidate/recompile scripts on change to ThisTypeSet Kannan, is this likely a fix for this bug so we can close it?
Comment 4•12 years ago
|
||
Not sure about that. It seemed like Bug 744535 was a perf bug, not correctness, but I could be wrong. I would think that failing to freeze ThisTypeSet shouldn't lead to infinite loops, just a whole lot of expensive deoptimizations when guards fail. bhackett should be able to answer this more definitively.
Comment 5•12 years ago
|
||
I think there is a JS_CHECK_RECURSION needed somewhere in that call stack, probably in ion::Cannon to avoid blowing the C stack. The test itself has an infinite recursion.
Assignee | ||
Comment 6•12 years ago
|
||
Although this bug no longer reproduces, I encountered this a few days ago and we definitely need a JS_CHECK_RECURSION in EnterIon.
Comment 7•12 years ago
|
||
Comment on attachment 623902 [details] [diff] [review] fix Review of attachment 623902 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/Ion.cpp @@ +945,5 @@ > > static bool > EnterIon(JSContext *cx, StackFrame *fp, void *jitcode) > { > + JS_CHECK_RECURSION(cx, return true); Needs to return false.
Attachment #623902 -
Flags: review?(sstangl) → review+
Assignee | ||
Comment 8•12 years ago
|
||
Of course, I managed to leave a bug in a one-line trivial patch ;) http://hg.mozilla.org/projects/ionmonkey/rev/29b9a3fd01e4
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•