Closed Bug 756619 Opened 8 years ago Closed 8 years ago

IonMonkey: OOM Testing: Crash [@ js::ion::IonJSFrameLayout::calleeToken]

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 756615

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:dupe 756615])

Crash Data

The following command crashes on ionmonkey revision 8c54899dae82 (dbg build):

js  -e 'const libdir = "js/src/jit-test/lib/";' -A 236067 -f js/src/jit-test/tests/v8-v5/check-crypto.js
The read here looks a bit ugly:

Program received signal SIGSEGV, Segmentation fault.
0x00000000007bdcf8 in js::ion::IonJSFrameLayout::calleeToken (this=0x8fffffffbda4) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/shared/IonFrames-x86-shared.h:86
        in /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/shared/IonFrames-x86-shared.h
#0  0x00000000007bdcf8 in js::ion::IonJSFrameLayout::calleeToken (this=0x8fffffffbda4) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/shared/IonFrames-x86-shared.h:86
#1  0x00000000007fd543 in js::ion::IonFrameIterator::calleeToken (this=0x7fffffffbca8) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/IonFrames.cpp:184
#2  0x00000000007fd71d in js::ion::IonFrameIterator::script (this=0x7fffffffbca8) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/IonFrames.cpp:225
#3  0x00000000007fd44e in js::ion::IonFrameIterator::checkInvalidation (this=0x7fffffffbca8, ionScriptOut=0x7fffffffb2b8) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/IonFrames.cpp:164
#4  0x00000000007fefe0 in js::ion::IonFrameIterator::ionScript (this=0x7fffffffbca8) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/IonFrames.cpp:776
#5  0x00000000007feae1 in js::ion::SnapshotIterator::SnapshotIterator (this=0x7fffffffb310, iter=...) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/IonFrames.cpp:654
#6  0x00000000007ff189 in js::ion::InlineFrameIterator::InlineFrameIterator (this=0x7fffffffb820, iter=0x7fffffffbca8) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/IonFrames.cpp:803
#7  0x000000000066cc63 in js::StackIter::settleOnNewState (this=0x7fffffffbc40) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/vm/Stack.cpp:1195
=> 0x7bdcf8 <js::ion::IonJSFrameLayout::calleeToken() const+12>:        mov    0x10(%rax),%rax
rax            0x8fffffffbda4   158329674382756
Still valid with ballast patch, new -A value on revision 88ea2e529609 is 98275.
Same issue as bug 756615 (using ScriptFrameIter when allocating the BailoutClosure fails).
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 756615
Whiteboard: [sg:dupe 756615]
Group: core-security
You need to log in before you can comment on or make changes to this bug.