Closed Bug 779819 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: hasArgs(), at ../vm/Stack-inl.h:307 or Crash [@ forEachUnaliasedActual]

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

VERIFIED FIXED
Tracking Status
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: djvj)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][ion:p1:fx18])

Attachments

(1 file)

The following testcase asserts on ionmonkey revision 2169bca0c9a5 (run with --ion -n -m):


function baz(i) {}
function bar(x, y) { 
	return 	baz.apply(0, x ? y : arguments) 
}
for (var i = 0; i < 100000; ++i)
  bar(false, [42]);
Opt-crash info:

Program received signal SIGSEGV, Segmentation fault.
forEachUnaliasedActual<js::CopyTo> (cx=0xac8670, argc=<value optimized out>, vp=0x7fffffffce68) at ../vm/Stack-inl.h:270
270                 op(*p);
(gdb) bt
#0  forEachUnaliasedActual<js::CopyTo> (cx=0xac8670, argc=<value optimized out>, vp=0x7fffffffce68) at ../vm/Stack-inl.h:270
#1  js_fun_apply (cx=0xac8670, argc=<value optimized out>, vp=0x7fffffffce68) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsfun.cpp:910
#2  0x00007ffff7f43778 in ?? ()
#3  0x00007ffff0711a40 in ?? ()
#4  0x00007fffffffce40 in ?? ()
#5  0x0000000000000000 in ?? ()
(gdb) x /i $pc
=> 0x468e10 <js_fun_apply(JSContext*, unsigned int, JS::Value*)+832>:   mov    (%rax),%rcx
(gdb) info reg rax
rax            0x7ffff09cada8   140737230187944
If we are compiling with IonMonkey, the issue would be in IonBuilder.cpp, the function which handle fun.apply should fail at the compilation time because its argument is should be a MaybeArguments and not a DefiniteArguments (as returned by the TypeOracle).
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
Assignee: general → kvijayan
Attached patch Patch.Splinter Review
As you called it, Nicolas.
Attachment #650164 - Flags: review?(nicolas.b.pierron)
Comment on attachment 650164 [details] [diff] [review]
Patch.

Review of attachment 650164 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/IonBuilder.cpp
@@ +3590,4 @@
>      types::TypeSet *argObjTypes = oracle->getCallArg(script, argc, 2, pc);
> +    LazyArgumentsType isArgObj = oracle->isArgumentObject(argObjTypes);
> +    if (isArgObj == MaybeArguments)
> +        return false;

nit: return abort("NYI: Handle fun.apply with MaybeArguments");
Attachment #650164 - Flags: review?(nicolas.b.pierron) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/21b4797e4cb3
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.