759177 - IonMonkey: Opt-only Crash [@ js::types::TypeMonitorResult]

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

Attachment: Testcase for shell

The attached testcase crashes on ionmonkey revision 4ce3983a43f4 (run with --ion -n -m --ion-eager).

Comment 1

[Christian Holler (:decoder)]

This bug is opt-only and hard to compose further. Crash trace:


==32323== Invalid read of size 4
==32323==    at 0x80D3D26: js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&) (Barrier.h:170)
==32323==    by 0x8317151: js::ion::ReflowTypeInfo(unsigned int) (jsinferinlines.h:590)
==32323==    by 0x7B8967B: ???
==32323==    by 0x831C7A7: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1023)
==32323==    by 0x80F2079: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2625)
==32323==    by 0x80F341F: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:285)
==32323==    by 0x80F4431: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:485)
==32323==    by 0x8069EFE: JS_ExecuteScript (jsapi.cpp:5352)
==32323==    by 0x80502F7: Load(JSContext*, unsigned int, JS::Value*) (js.cpp:733)
==32323==    by 0x80F38A6: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:397)
==32323==    by 0x80E7D3F: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2564)
==32323==    by 0x80F341F: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:285)
==32323==  Address 0x4 is not stack'd, malloc'd or (recently) free'd

Comment 2

[Jan de Mooij [:jandem]]

I could reproduce this once at the given revision and I'm pretty sure it's a duplicate of bug 768004. Unfortunately, I can no longer reproduce the crash at the same revision, but decoder says the fuzzer hasn't hit this anymore so closing as WFM.