Closed
Bug 759177
Opened 12 years ago
Closed 12 years ago
IonMonkey: Opt-only Crash [@ js::types::TypeMonitorResult]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update][ion:p1:fx18])
Crash Data
Attachments
(1 file)
9.06 KB,
application/x-gzip
|
Details |
The attached testcase crashes on ionmonkey revision 4ce3983a43f4 (run with --ion -n -m --ion-eager).
Reporter | ||
Comment 1•12 years ago
|
||
This bug is opt-only and hard to compose further. Crash trace: ==32323== Invalid read of size 4 ==32323== at 0x80D3D26: js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&) (Barrier.h:170) ==32323== by 0x8317151: js::ion::ReflowTypeInfo(unsigned int) (jsinferinlines.h:590) ==32323== by 0x7B8967B: ??? ==32323== by 0x831C7A7: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1023) ==32323== by 0x80F2079: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2625) ==32323== by 0x80F341F: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:285) ==32323== by 0x80F4431: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:485) ==32323== by 0x8069EFE: JS_ExecuteScript (jsapi.cpp:5352) ==32323== by 0x80502F7: Load(JSContext*, unsigned int, JS::Value*) (js.cpp:733) ==32323== by 0x80F38A6: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:397) ==32323== by 0x80E7D3F: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2564) ==32323== by 0x80F341F: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:285) ==32323== Address 0x4 is not stack'd, malloc'd or (recently) free'd
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
Comment 2•12 years ago
|
||
I could reproduce this once at the given revision and I'm pretty sure it's a duplicate of bug 768004. Unfortunately, I can no longer reproduce the crash at the same revision, but decoder says the fuzzer hasn't hit this anymore so closing as WFM.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•