Closed
Bug 755564
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ js::HeapPtr<js::BaseShape, unsigned long>::operator] with ParallelArray
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: crash, testcase)
Attachments
(2 files, 1 obsolete file)
21.80 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
1.70 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on ionmonkey revision 50177d59c0e1 (run with --ion -n -m): var p = new ParallelArray([1,2,3,4,5]); var r = p.scatter([0,1,0,3,4], 9, function (a,b) { return a+b; }); assertEq(r.toString( 5 ? r : 0, gc()) ,[4,2,9,4,5].join(",")); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000004145a8 in js::HeapPtr<js::BaseShape, unsigned long>::operator js::BaseShape* (this=0xdadadadadadadada) at ../../gc/Barrier.h:212 212 operator T*() const { return value; } (gdb) bt 8 #0 0x00000000004145a8 in js::HeapPtr<js::BaseShape, unsigned long>::operator js::BaseShape* (this=0xdadadadadadadada) at ../../gc/Barrier.h:212 #1 0x0000000000405fe0 in js::Shape::base (this=0xdadadadadadadada) at ../../jsscope.h:708 #2 0x0000000000405eea in js::Shape::getObjectClass (this=0xdadadadadadadada) at ../../jsscope.h:607 #3 0x000000000040714e in js::ObjectImpl::getClass (this=0x7ffff09099a0) at ../../vm/ObjectImpl-inl.h:245 #4 0x000000000040718e in js::ObjectImpl::getOps (this=0x7ffff09099a0) at ../../vm/ObjectImpl-inl.h:263 #5 0x0000000000551738 in js_GetMethod (cx=0xd955a0, obj=..., id=..., getHow=0, vp=0x7fffffffc530) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsobj.cpp:5166 #6 0x00000000006a0cd8 in ParallelArray_forward_method (cx=0xd955a0, argc=2, vp=0x7ffff0beb0b0, native=0x6a0d90 <ParallelArray_toString(JSContext*, unsigned int, JS::Value*)>, id=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/builtin/ParallelArray.cpp:587 #7 0x00000000006a0ddc in ParallelArray_toString (cx=0xd955a0, argc=2, vp=0x7ffff0beb0b0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/builtin/ParallelArray.cpp:602 (More stack frames follow...) (gdb) x /i $pc => 0x4145a8 <js::HeapPtr<js::BaseShape, unsigned long>::operator js::BaseShape*() const+12>: mov (%rax),%rax (gdb) info reg rax rax 0xdadadadadadadada -2676586395008836902
Assignee: general → wmccloskey
Oops. IonMonkey bug. Never mind.
Assignee: wmccloskey → general
Assignee | ||
Comment 2•12 years ago
|
||
This is very likely to be bug 729812 so let's wait until that's fixed and try this again.
Assignee: general → dvander
Status: NEW → ASSIGNED
Assignee | ||
Comment 3•12 years ago
|
||
This doesn't fix the bug, but I noticed ParallelArray is not moving GC safe so this patch fixes that.
Attachment #624831 -
Flags: review?(wmccloskey)
Comment on attachment 624831 [details] [diff] [review] make ParallelArray moving GC safe Review of attachment 624831 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/builtin/ParallelArray.cpp @@ +320,2 @@ > if (!obj) > + return false; I think we need to |return ok| here. ::: js/src/ion/MIR.cpp @@ +492,5 @@ > > void > MBitNot::infer(const TypeOracle::Unary &u) > { > + JS_ASSERT(u.ival != MIRType_Value); Not sure if you intended for this to be here...
Attachment #624831 -
Flags: review?(wmccloskey) → review+
Assignee | ||
Comment 5•12 years ago
|
||
Bug is, it's non-native but has no trace hook. Bill pointed out it can just be native.
Attachment #624865 -
Flags: review?(wmccloskey)
Attachment #624865 -
Flags: review?(wmccloskey) → review+
Assignee | ||
Comment 6•12 years ago
|
||
Thanks for the quick reviews! http://hg.mozilla.org/projects/ionmonkey/rev/fe35715a3f01 http://hg.mozilla.org/projects/ionmonkey/rev/b15990ffc15d
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Assignee | ||
Comment 7•12 years ago
|
||
Backing out part 2: http://hg.mozilla.org/projects/ionmonkey/rev/ec1aca662dbe It turns out these objects have some non-native behavior, so it'll be easier to just implement a trace hook.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 8•12 years ago
|
||
Attachment #624865 -
Attachment is obsolete: true
Attachment #625033 -
Flags: review?(wmccloskey)
Attachment #625033 -
Flags: review?(wmccloskey) → review+
Assignee | ||
Comment 9•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/eeae414fa07a
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 11•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Updated•12 years ago
|
Group: core-security
Reporter | ||
Comment 12•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•