Closed Bug 756630 Opened 12 years ago Closed 12 years ago

IonMonkey: OOM Testing: Crash [@ js::ion::IonExitFooterFrame::ionCode]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 756615

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:dupe 756615])

Crash Data

The following command crashes on ionmonkey revision 8c54899dae82 (dbg build):

js  -e 'const libdir = "js/src/jit-test/lib/";' -A 36394 -f js/src/jit-test/tests/sunspider/check-crypto-sha1.js
Again a suspicious crash, could be an integer over/underflow:


Program received signal SIGSEGV, Segmentation fault.
0x00000000007fcc68 in js::ion::IonExitFooterFrame::ionCode (this=0xfffffffffffffff0) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/shared/IonFrames-x86-shared.h:147
        in /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/shared/IonFrames-x86-shared.h
#0  0x00000000007fcc68 in js::ion::IonExitFooterFrame::ionCode (this=0xfffffffffffffff0) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/shared/IonFrames-x86-shared.h:147
#1  0x00000000007fd6a5 in js::ion::IonFrameIterator::isNative (this=0x7fffffffbc58) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/IonFrames.cpp:212
#2  0x000000000066cbf1 in js::StackIter::settleOnNewState (this=0x7fffffffbbf0) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/vm/Stack.cpp:1186
#3  0x000000000066d2b5 in js::StackIter::StackIter (this=0x7fffffffbbf0, cx=0xda05e0, savedOption=js::StackIter::STOP_AT_SAVED) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/vm/Stack.cpp:1295
#4  0x0000000000406e4c in js::ScriptFrameIter::ScriptFrameIter (this=0x7fffffffbbf0, cx=0xda05e0, opt=js::StackIter::STOP_AT_SAVED) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/vm/Stack.h:1938
#5  0x0000000000482da0 in PopulateReportBlame (cx=0xda05e0, report=0x7fffffffbfa0) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/jscntxt.cpp:376
#6  0x0000000000482f08 in js_ReportOutOfMemory (cx=0xda05e0) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/jscntxt.cpp:409
#7  0x0000000000484e99 in JSRuntime::onOutOfMemory (this=0x7ffff7f9a010, p=0x0, nbytes=72, cx=0xda05e0) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/jscntxt.cpp:1144
=> 0x7fcc68 <js::ion::IonExitFooterFrame::ionCode() const+12>:  mov    0x8(%rax),%rax
rax            0xfffffffffffffff0       -16
Still valid with ballast patch, but use this command on revision 88ea2e529609:

js -e 'const libdir = "js/src/jit-test/lib/";' -A 8964 -f js/src/jit-test/tests/sunspider/check-math-cordic.js
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 756615]
Group: core-security
You need to log in before you can comment on or make changes to this bug.