Closed
Bug 779819
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: hasArgs(), at ../vm/Stack-inl.h:307 or Crash [@ forEachUnaliasedActual]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: djvj)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][ion:p1:fx18])
Attachments
(1 file)
1.43 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on ionmonkey revision 2169bca0c9a5 (run with --ion -n -m): function baz(i) {} function bar(x, y) { return baz.apply(0, x ? y : arguments) } for (var i = 0; i < 100000; ++i) bar(false, [42]);
Reporter | ||
Comment 1•12 years ago
|
||
Opt-crash info: Program received signal SIGSEGV, Segmentation fault. forEachUnaliasedActual<js::CopyTo> (cx=0xac8670, argc=<value optimized out>, vp=0x7fffffffce68) at ../vm/Stack-inl.h:270 270 op(*p); (gdb) bt #0 forEachUnaliasedActual<js::CopyTo> (cx=0xac8670, argc=<value optimized out>, vp=0x7fffffffce68) at ../vm/Stack-inl.h:270 #1 js_fun_apply (cx=0xac8670, argc=<value optimized out>, vp=0x7fffffffce68) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsfun.cpp:910 #2 0x00007ffff7f43778 in ?? () #3 0x00007ffff0711a40 in ?? () #4 0x00007fffffffce40 in ?? () #5 0x0000000000000000 in ?? () (gdb) x /i $pc => 0x468e10 <js_fun_apply(JSContext*, unsigned int, JS::Value*)+832>: mov (%rax),%rcx (gdb) info reg rax rax 0x7ffff09cada8 140737230187944
Comment 2•12 years ago
|
||
If we are compiling with IonMonkey, the issue would be in IonBuilder.cpp, the function which handle fun.apply should fail at the compilation time because its argument is should be a MaybeArguments and not a DefiniteArguments (as returned by the TypeOracle).
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
Assignee | ||
Updated•12 years ago
|
Assignee: general → kvijayan
Assignee | ||
Comment 3•12 years ago
|
||
As you called it, Nicolas.
Attachment #650164 -
Flags: review?(nicolas.b.pierron)
Comment 4•12 years ago
|
||
Comment on attachment 650164 [details] [diff] [review] Patch. Review of attachment 650164 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/IonBuilder.cpp @@ +3590,4 @@ > types::TypeSet *argObjTypes = oracle->getCallArg(script, argc, 2, pc); > + LazyArgumentsType isArgObj = oracle->isArgumentObject(argObjTypes); > + if (isArgObj == MaybeArguments) > + return false; nit: return abort("NYI: Handle fun.apply with MaybeArguments");
Attachment #650164 -
Flags: review?(nicolas.b.pierron) → review+
Assignee | ||
Comment 5•12 years ago
|
||
https://hg.mozilla.org/projects/ionmonkey/rev/21b4797e4cb3
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 6•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•