Closed Bug 759314 Opened 8 years ago Closed 8 years ago

IonMonkey: Crash [@ js::ion::MachineState::read]

Categories

(Core :: JavaScript Engine, defect, major)

Other Branch
x86
Linux
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 759213

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

The following testcase crashes on ionmonkey revision 4ce3983a43f4 (run with --ion -n -m --ion-eager):


function testCustomIterator() {
    var o = {
        __iterator__: function () {
            return {            };
        }
    };
    for (var k = 0; k < 100; k += 10) {
        for(var j in o) {
            if (typeof timeout == 'function' && typeof Worker != 'undefined') {
    		for (var i = 0; i < 5; i++)
    		  reportCompare(0, 0, "Test skipped. Shell workers and timeout required.");
	    }
        }
    }
}
testCustomIterator();
Crash trace:


Program received signal SIGSEGV, Segmentation fault.
0x084441fc in js::ion::MachineState::read (this=0xffffbbfc, reg=...) at ../ion/Registers.h:146
146             return *regs_[reg.code()];
(gdb) bt
#0  0x084441fc in js::ion::MachineState::read (this=0xffffbbfc, reg=...) at ../ion/Registers.h:146
#1  0x08446616 in js::ion::SnapshotIterator::fromLocation (this=0xffffbbbc, loc=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonFrames.cpp:640
#2  0x08446983 in js::ion::SnapshotIterator::slotValue (this=0xffffbbbc, slot=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonFrames.cpp:706
#3  0x08279771 in js::ion::SnapshotIterator::read (this=0xffffbbbc) at ../ion/IonFrameIterator.h:248
#4  0x0844558a in CloseLiveIterator (cx=0x87cf570, frame=..., localSlot=1) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonFrames.cpp:279
#5  0x0844574a in CloseLiveIterators (cx=0x87cf570, frame=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonFrames.cpp:314
#6  0x0844580e in js::ion::HandleException (rfe=0xffffbf6c) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonFrames.cpp:332
#7  0x00414c16 in ?? ()


Likely null-deref.
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 52692d2e14fe).
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 759213
A testcase for this bug was already added in the original bug (bug 759213).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.