If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

IonMonkey: Assertion failure: stackPosition_ < info_.nslots(), at ion/MIRGraph.cpp:332 or Crash [@ vtable for js::ion::MConstant]

RESOLVED DUPLICATE of bug 779813

Status

()

Core
JavaScript Engine
--
major
RESOLVED DUPLICATE of bug 779813
5 years ago
3 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Other Branch
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update][ion:p1:fx18])

(Reporter)

Description

5 years ago
The following testcase asserts on ionmonkey revision 2169bca0c9a5 (run with --ion -n -m --ion-eager):


function f_app(f,n) {
	return f();
}
assertEq(f_app(Math.sqrt, 16), 4);
(Reporter)

Comment 1

5 years ago
Opt-crash looks dangerous:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a81d10 in vtable for js::ion::MConstant ()
Missing separate debuginfos, use: debuginfo-install zlib-1.2.3-27.el6.x86_64
(gdb) x /i $pc
=> 0xa81d10 <_ZTVN2js3ion9MConstantE+16>:       rcrb   0x0(%rsp,%rbp,2)
(gdb) info reg rsp rbp
rsp            0x7fffffffc858   0x7fffffffc858
rbp            0x7fffffffc950   0x7fffffffc950
(gdb) bt
#0  0x0000000000a81d10 in vtable for js::ion::MConstant ()
#1  0x000000000072a1a9 in isDefinition (this=0x7fffffffc9c0) at js/src/ion/MIR.h:123
#2  search (this=0x7fffffffc9c0) at js/src/ion/MIR.h:468
#3  MUseDefIterator (this=0x7fffffffc9c0) at js/src/ion/MIR.h:477
#4  markConsumers (this=0x7fffffffc9c0) at js/src/ion/ValueNumbering.cpp:112
#5  js::ion::ValueNumberer::computeValueNumbers (this=0x7fffffffc9c0) at js/src/ion/ValueNumbering.cpp:219
#6  0x000000000072a759 in js::ion::ValueNumberer::analyze (this=0x7fffffffc9c0) at js/src/ion/ValueNumbering.cpp:386
#7  0x00000000006c12f0 in js::ion::BuildMIR (builder=<value optimized out>, graph=...) at js/src/ion/Ion.cpp:748
#8  0x00000000006c4844 in TestCompiler (cx=0xac8670, script=<value optimized out>, fun=<value optimized out>, osrPc=0x0, constructing=<value optimized out>)
    at js/src/ion/Ion.cpp:839
#9  js::ion::IonCompile<js::ion::TestCompiler> (cx=0xac8670, script=<value optimized out>, fun=<value optimized out>, osrPc=0x0, constructing=<value optimized out>)
    at js/src/ion/Ion.cpp:876
#10 0x00000000006c4f3c in Compile<js::ion::TestCompiler> (cx=0xac8670, script=0x7ffff07071a0, fp=0x7ffff09d50d0, newType=<value optimized out>) at js/src/ion/Ion.cpp:992
#11 js::ion::CanEnter (cx=0xac8670, script=0x7ffff07071a0, fp=0x7ffff09d50d0, newType=<value optimized out>) at js/src/ion/Ion.cpp:1082
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]

Updated

5 years ago
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 779813
Group: core-security
You need to log in before you can comment on or make changes to this bug.