Closed Bug 759210 Opened 13 years ago Closed 13 years ago

IonMonkey: Assertion failure: (d.lengthAndFlags & FLAGS_MASK) == DEPENDENT_BIT, at vm/String.h:303

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 759312

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Testcase for shell
7.83 KB, application/x-gzip
Details
Attached file Testcase for shell
The attached testcase asserts on ionmonkey revision 4ce3983a43f4 (run with --ion -n -m --ion-eager).
This seems to be some serious memory corruption. The initial test (before minimizing further) crashed like this: ==18262== Invalid read of size 4 ==18262== at 0x97C1EA8: ??? ==18262== by 0x84D32C3: JSC::Yarr::YarrCodeBlock::execute(unsigned short const*, unsigned int, unsigned int, int*) (YarrJIT.h:72) ==18262== by 0x84DB21B: JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, unsigned short const*, unsigned int, unsigned int, int*) (YarrJIT.cpp:2468) ==18262== by 0x8323706: js::detail::RegExpCode::execute(JSContext*, unsigned short const*, unsigned int, unsigned int, int*, unsigned int) (RegExpObject.cpp:224) ==18262== by 0x83248C3: js::RegExpShared::execute(JSContext*, unsigned short const*, unsigned int, unsigned int*, js::MatchPairs**) (RegExpObject.cpp:496) ==18262== by 0x832DC18: bool ExecuteRegExpImpl<js::RegExpShared>(JSContext*, js::RegExpStatics*, js::RegExpShared&, JSLinearString*, unsigned short const*, unsigned int, unsigned int*, js::RegExpExecType, JS::Value*) (RegExp.cpp:107) ==18262== by 0x832BD96: js::ExecuteRegExp(JSContext*, js::RegExpStatics*, js::RegExpShared&, JSLinearString*, unsigned short const*, unsigned int, unsigned int*, js::RegExpExecType, JS::Value*) (RegExp.cpp:138) ==18262== by 0x820E565: DoMatch(JSContext*, js::RegExpStatics*, JSString*, js::RegExpShared&, bool (*)(JSContext*, js::RegExpStatics*, unsigned int, void*), void*, MatchControlFlags, JS::Value*) (jsstr.cpp:1525) ==18262== by 0x8210DFF: str_replace_regexp(JSContext*, js::CallArgs, ReplaceData&) (jsstr.cpp:2111) ==18262== by 0x8211B3F: js::str_replace(JSContext*, unsigned int, JS::Value*) (jsstr.cpp:2309) ==18262== by 0x996F359: ??? ==18262== Address 0xdadadada is not stack'd, malloc'd or (recently) free'd Unfortunately it is very hard to reduce further and/or compose.
Christian, I can't seem to reproduce this. Am I supposed to run driver.js?
(In reply to David Anderson [:dvander] from comment #2) > Christian, I can't seem to reproduce this. Am I supposed to run driver.js? No. There should be a README inside the archive that describes how to run the test. It requires the shell + driver to be run but the log must be provided on stdin.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Group: core-security
A testcase for this bug was already added in the original bug (bug 759312).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: