Closed Bug 743132 Opened 13 years ago Closed 13 years ago

IonMonkey: Assertion failure: safepoint.allSpills().empty(), at ion/IonFrames.cpp:433 or Crash [@ js::HeapPtr<js::BaseShape, unsigned long>::operator]

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 755157

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:ignore])

Crash Data

The following testcase crashes on ionmonkey revision a9a18824b4c1 (run with --ion -n -m --ion-eager): gczeal(2); evaluate("\ function f(N) {\ for (var i = 45e13 ; i != N; ++i) {\ var obj0 = {}, obj1 = {}, obj2 = {};\ obj2['b'+(i+1)] = 1;\ for (var repeat = 0;repeat != 2; ++repeat) {\ for (var k in obj2) {\ for (var l in obj0)\ ++count;\ }\ }\ }\ }\ var array = [function() { f(10); }, ];\ for (var i = 0; i != array.length; ++i)\ array[i]();\ ");
Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000405a96 in js::Shape::getObjectClass (this=0x7ffff0915000) at ../../jsscope.h:603 603 Class *getObjectClass() const { return base()->clasp; } (gdb) bt #0 0x0000000000405a96 in js::Shape::getObjectClass (this=0x7ffff0915000) at ../../jsscope.h:603 #1 0x0000000000406f8e in js::ObjectImpl::getClass (this=0x7ffff0914d80) at ../../vm/ObjectImpl-inl.h:245 #2 0x000000000051c885 in js::GetIterator (cx=0xd05d30, obj=0x7ffff0914d80, flags=1, vp=0x7fffffff4380) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsiter.cpp:694 #3 0x000000000051d06c in js::GetIteratorObject (cx=0xd05d30, obj=0x7ffff0914d80, flags=1) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsiter.cpp:821 #4 0x00007ffff7f4303a in ?? () #5 0x0000000000000000 in ?? ()
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 7ac0cbabb3d7).
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,reconfirm]
JSBugMon doesnt seem to be able to reproduce this bug on the original revision. However, I manually checked that this still asserts/crashes on 67bf9a4a1f77, however the symptoms changed: Stepping through assertion shows: Program received signal SIGSEGV, Segmentation fault. 0x00000000004137c4 in js::HeapPtr<js::BaseShape, unsigned long>::operator js::BaseShape* (this=0xdadadadadadadada) at ../../gc/Barrier.h:214 214 operator T*() const { return value; } (gdb) bt 8 #0 0x00000000004137c4 in js::HeapPtr<js::BaseShape, unsigned long>::operator js::BaseShape* (this=0xdadadadadadadada) at ../../gc/Barrier.h:214 #1 0x0000000000405b9c in js::Shape::base (this=0xdadadadadadadada) at ../../jsscope.h:704 #2 0x0000000000405aa6 in js::Shape::getObjectClass (this=0xdadadadadadadada) at ../../jsscope.h:603 #3 0x000000000040708c in js::ObjectImpl::getClass (this=0x7ffff0914d00) at ../../vm/ObjectImpl-inl.h:245 #4 0x000000000051d609 in js::GetIterator (cx=0xd14d40, obj=0x7ffff0914d00, flags=1, vp=0x7fffffff91f0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsiter.cpp:694 #5 0x000000000051ddf0 in js::GetIteratorObject (cx=0xd14d40, obj=0x7ffff0914d00, flags=1) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsiter.cpp:821 #6 0x00007ffff7f4303a in ?? () #7 0x00007fffffff95c0 in ?? () (More stack frames follow...) (gdb) x /i $pc => 0x4137c4 <js::HeapPtr<js::BaseShape, unsigned long>::operator js::BaseShape*() const+12>: mov (%rax),%rax (gdb) info reg rax rax 0xdadadadadadadada -2676586395008836902 (gdb) Marking s-s as this looks like a use-after-free condition.
Crash Signature: [@ js::Shape::getObjectClass] → [@ js::HeapPtr<js::BaseShape, unsigned long>::operator]
Summary: IonMonkey: Crash [@ js::Shape::getObjectClass] → IonMonkey: Assertion failure: safepoint.allSpills().empty(), at ion/IonFrames.cpp:433 or Crash [@ js::HeapPtr<js::BaseShape, unsigned long>::operator]
Group: core-security
Whiteboard: [jsbugmon:update,reconfirm] → [jsbugmon:ignore]
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.