Closed Bug 779245 Opened 13 years ago Closed 13 years ago

IonMonkey: Assertion failure: !thisv.isPrimitive(), at ion/Bailouts.cpp:138 or Crash [@ GetValueType]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: nbp)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][fuzzblocker][ion:p1:fx18])

Crash Data

Attachments

(1 file)

Fix isConstructing when JM is calling Into Ion.
1.05 KB, patch
dvander
: review+
nbp
: checkin+
Details | Diff | Splinter Review
The following testcase asserts on ionmonkey revision b46621aba6fd (run with --ion -n -m): function printStatus (msg) { var lines = msg.split ("\n"); } function enterFunc (funcName) function GetContext() {} test(); function test() { enterFunc (); printStatus (""); for (let j = (32); j < 5; ++j) actual && ("0" in [3]); new test(); }
Causing quite a few sigs.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Whiteboard: [jsbugmon:update][fuzzblocker] → [jsbugmon:update][fuzzblocker][ion:p1:fx18]
Just found a test (less reduced) that causes the same assert but crashes in opt builds, but only in GDB, not in valgrind: Program received signal SIGSEGV, Segmentation fault. GetValueType (cx=0xac4670, script=0x7ffff07072e0, pc=<value optimized out>, rval=<value optimized out>) at ../jsinferinlines.h:110 110 return Type::ObjectType(&val.toObject()); Missing separate debuginfos, use: debuginfo-install zlib-1.2.3-27.el6.x86_64 (gdb) bt 8 #0 GetValueType (cx=0xac4670, script=0x7ffff07072e0, pc=<value optimized out>, rval=<value optimized out>) at ../jsinferinlines.h:110 #1 js::types::TypeMonitorResult (cx=0xac4670, script=0x7ffff07072e0, pc=<value optimized out>, rval=<value optimized out>) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:4915 #2 0x00000000006b9010 in Monitor (returnData=0x7fff00000002, returnType=0xac4670, returnReg=<value optimized out>, f=<value optimized out>) at ../jsinferinlines.h:758 #3 js_InternalInterpret (returnData=0x7fff00000002, returnType=0xac4670, returnReg=<value optimized out>, f=<value optimized out>) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/methodjit/InvokeHelpers.cpp:1100 #4 0x0000000000625839 in JaegerInterpoline () Backtrace stopped: previous frame inner to this frame (corrupt stack?) (gdb) x /i $pc => 0x4846c9 <js::types::TypeMonitorResult(JSContext*, JSScript*, jsbytecode*, JS::Value const&)+313>: mov 0x8(%r12),%rcx (gdb) info reg r12 rcx r12 0x0 0 rcx 0xfffb7fffffffffff -1266637395197953 Assuming this is some form of memory corruption due to the symptoms, marking S-s.
Group: core-security
Crash Signature: [@ GetValueType]
Summary: IonMonkey: Assertion failure: !thisv.isPrimitive(), at ion/Bailouts.cpp:138 → IonMonkey: Assertion failure: !thisv.isPrimitive(), at ion/Bailouts.cpp:138 or Crash [@ GetValueType]
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Comment on attachment 650358 [details] [diff] [review] Fix isConstructing when JM is calling Into Ion. Review of attachment 650358 [details] [diff] [review]: ----------------------------------------------------------------- Good catch
Attachment #650358 - Flags: review?(dvander) → review+
Comment on attachment 650358 [details] [diff] [review] Fix isConstructing when JM is calling Into Ion. https://hg.mozilla.org/projects/ionmonkey/rev/7fcedafba16d
Attachment #650358 - Flags: checkin+
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: