Closed Bug 759211 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ js::ShapeTable::search]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 759312

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

The following testcase crashes on ionmonkey revision 4ce3983a43f4 (run with --ion -n -m --ion-eager):


try {
var actual = '';
function testNaNCanonicalization() {
    var buf = new ArrayBuffer(128);
    var u8 = new Uint8Array(buf);
    for (var i = 0; i < 128; i++)
        u8[i] = 0xFF;
    var dblarr = new Float64Array(buf);
}
for (var i = 0; i < 10; (actual)++) {
    testNaNCanonicalization();
}
} catch(exc1) {}
This only reproduced for me on an opt build and it did not always reproduce consistently (that's why I s-s'ed it). The crash looks like this:

==20428== Invalid read of size 4
==20428==    at 0x8159327: js::ShapeTable::search(int, bool) (jsscope.cpp:158)
==20428==    by 0xFEBD127F: ???
==20428==  Address 0x4 is not stack'd, malloc'd or (recently) free'd
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 80a444262772).
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
I can reproduce this on tip. Tested to be a dupe of bug 759312.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
A testcase for this bug was already added in the original bug (bug 759312).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.