Closed
Bug 765335
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: regs.sp[-1].isObject(), at jsinterp.cpp:1886 or Crash at 0xdeadbeee (ARM)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox15 | --- | unaffected |
| firefox16 | --- | unaffected |
| firefox17 | --- | unaffected |
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, sec-critical, testcase, Whiteboard: [ion:p1:fx18])
The following testcase asserts on ionmonkey-arm (private branch) revision 153a2db06024 (run with --ion -n -m --ion-eager):
function startTest() {}
function writeHeaderToLog( string ) {
print( string );
}
this.watch("x", function() { });
evaluate('\
var SECTION = "12.6.3-3";\
var VERSION = "ECMA_1";\
startTest();\
var TITLE = "The for..in statement";\
writeHeaderToLog( ++ TITLE );\
var o = {};\
var result = "";\
for ( (TITLE).a in [1,2,3] ) { result += String( [(0),2,3][o.a] ); }\
',{ noScriptRval: true });
|
Reporter | |
Comment 1•12 years ago
|
||
Please note that you need the patch from bug 765302 for this test to work (the noScriptRval option to evaluate was previously not supported). Alternatively, you can replace the evaluate by a load("tmp.js") and put the evaluated code into tmp.js. Crash Info (opt build): Program received signal SIGSEGV, Segmentation fault. 0xdeadbeee in ?? () (gdb) bt #0 0xdeadbeee in ?? () #1 0x002af658 in iterator_methods () #2 0x002af658 in iterator_methods () Backtrace stopped: previous frame identical to this frame (corrupt stack?)
|
||
Updated•12 years ago
|
Summary: IonMonkey: Assertion failure: regs.sp[-1].isObject(), at jsinterp.cpp:1886 or Crash at 0xdeadbeee → IonMonkey: Assertion failure: regs.sp[-1].isObject(), at jsinterp.cpp:1886 or Crash at 0xdeadbeee (ARM)
|
||
Comment 2•12 years ago
|
||
I just imported that patch, and rebuilt and didn't see any crashes. Does this still reproduce for you? (does the unreduced testcase still crash?)
|
||
Comment 3•12 years ago
|
||
Christian: are you still seeing this crash?
|
|
Reporter | |
Comment 4•12 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #3) > Christian: are you still seeing this crash? Marty told me on IRC that he reproduced this and is working on it :)
|
|
||
Updated•12 years ago
|
Whiteboard: [ion:p1:fx18]
|
|
||
Updated•12 years ago
|
Keywords: sec-critical
|
||
Updated•12 years ago
|
status-firefox15:
--- → unaffected
status-firefox16:
--- → unaffected
status-firefox17:
--- → unaffected
|
|
Reporter | |
Comment 5•12 years ago
|
||
Just fyi, the bug doesn't reproduce for me on tip. Marty, are you still working on this or should we close WFM?
|
|
||
Comment 6•12 years ago
|
||
mjrosenb mentions that we should close this WFM.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
|
|
||
Updated•12 years ago
|
Group: core-security
|
|
Reporter | |
Comment 7•11 years ago
|
||
Was never on central and the test is probably not reliable, marking in-testsuite-.
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•