Closed
Bug 779245
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: !thisv.isPrimitive(), at ion/Bailouts.cpp:138 or Crash [@ GetValueType]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: nbp)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][fuzzblocker][ion:p1:fx18])
Crash Data
Attachments
(1 file)
1.05 KB,
patch
|
dvander
:
review+
nbp
:
checkin+
|
Details | Diff | Splinter Review |
The following testcase asserts on ionmonkey revision b46621aba6fd (run with --ion -n -m): function printStatus (msg) { var lines = msg.split ("\n"); } function enterFunc (funcName) function GetContext() {} test(); function test() { enterFunc (); printStatus (""); for (let j = (32); j < 5; ++j) actual && ("0" in [3]); new test(); }
Reporter | ||
Comment 1•12 years ago
|
||
Causing quite a few sigs.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Updated•12 years ago
|
Whiteboard: [jsbugmon:update][fuzzblocker] → [jsbugmon:update][fuzzblocker][ion:p1:fx18]
Reporter | ||
Comment 2•12 years ago
|
||
Just found a test (less reduced) that causes the same assert but crashes in opt builds, but only in GDB, not in valgrind: Program received signal SIGSEGV, Segmentation fault. GetValueType (cx=0xac4670, script=0x7ffff07072e0, pc=<value optimized out>, rval=<value optimized out>) at ../jsinferinlines.h:110 110 return Type::ObjectType(&val.toObject()); Missing separate debuginfos, use: debuginfo-install zlib-1.2.3-27.el6.x86_64 (gdb) bt 8 #0 GetValueType (cx=0xac4670, script=0x7ffff07072e0, pc=<value optimized out>, rval=<value optimized out>) at ../jsinferinlines.h:110 #1 js::types::TypeMonitorResult (cx=0xac4670, script=0x7ffff07072e0, pc=<value optimized out>, rval=<value optimized out>) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:4915 #2 0x00000000006b9010 in Monitor (returnData=0x7fff00000002, returnType=0xac4670, returnReg=<value optimized out>, f=<value optimized out>) at ../jsinferinlines.h:758 #3 js_InternalInterpret (returnData=0x7fff00000002, returnType=0xac4670, returnReg=<value optimized out>, f=<value optimized out>) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/methodjit/InvokeHelpers.cpp:1100 #4 0x0000000000625839 in JaegerInterpoline () Backtrace stopped: previous frame inner to this frame (corrupt stack?) (gdb) x /i $pc => 0x4846c9 <js::types::TypeMonitorResult(JSContext*, JSScript*, jsbytecode*, JS::Value const&)+313>: mov 0x8(%r12),%rcx (gdb) info reg r12 rcx r12 0x0 0 rcx 0xfffb7fffffffffff -1266637395197953 Assuming this is some form of memory corruption due to the symptoms, marking S-s.
Group: core-security
Crash Signature: [@ GetValueType]
Summary: IonMonkey: Assertion failure: !thisv.isPrimitive(), at ion/Bailouts.cpp:138 → IonMonkey: Assertion failure: !thisv.isPrimitive(), at ion/Bailouts.cpp:138 or Crash [@ GetValueType]
Assignee | ||
Updated•12 years ago
|
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Assignee | ||
Comment 3•12 years ago
|
||
Attachment #650358 -
Flags: review?(dvander)
Comment on attachment 650358 [details] [diff] [review] Fix isConstructing when JM is calling Into Ion. Review of attachment 650358 [details] [diff] [review]: ----------------------------------------------------------------- Good catch
Attachment #650358 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 5•12 years ago
|
||
Comment on attachment 650358 [details] [diff] [review] Fix isConstructing when JM is calling Into Ion. https://hg.mozilla.org/projects/ionmonkey/rev/7fcedafba16d
Attachment #650358 -
Flags: checkin+
Assignee | ||
Updated•12 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 6•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•