Closed Bug 779837 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: pred->stackDepth() == entryResumePoint()->stackDepth(), at ion/MIRGraph.cpp:637 or Crash [@ js::ion::MPhi::addInput]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 779813

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update][fuzzblocker][ion:p1:fx18]) 

The following testcase asserts on ionmonkey revision 2169bca0c9a5 (run with --ion -n):


function testMethodInit() {
    function o() {}
    function k() {}
    for (var i = 0; i < 100000; ++i, Math.tan())
        x = {o: o, k: k};
}
testMethodInit();
A lot of failures keep morphing into this one, marking as a fuzzblocker.

Crash also looks dangerous, but similar to previously filed bugs, so these might be dups:

==10085== Invalid write of size 8
==10085==    at 0x77B80D: js::ion::MPhi::addInput(js::ion::MDefinition*) (Vector.h:790)
==10085==    by 0x71B1D7: js::ion::MBasicBlock::setBackedge(js::ion::MBasicBlock*) (MIRGraph.cpp:661)
==10085==    by 0x6D1C83: js::ion::IonBuilder::finishLoop(js::ion::IonBuilder::CFGState&, js::ion::MBasicBlock*) (IonBuilder.cpp:1303)
==10085==    by 0x6E4577: js::ion::IonBuilder::traverseBytecode() (IonBuilder.cpp:1112)
==10085==    by 0x6E62ED: js::ion::IonBuilder::build() (IonBuilder.cpp:344)
==10085==    by 0x6C10DB: js::ion::BuildMIR(js::ion::IonBuilder&, js::ion::MIRGraph&) (Ion.cpp:692)
==10085==    by 0x6C4843: bool js::ion::IonCompile<&(js::ion::TestCompiler(js::ion::IonBuilder&, js::ion::MIRGraph&))>(JSContext*, JSScript*, JSFunction*, unsigned char*, bool) (Ion.cpp:839)
==10085==    by 0x6C4C4B: js::ion::CanEnterAtBranch(JSContext*, JSScript*, js::StackFrame*, unsigned char*) (Ion.cpp:992)
==10085==    by 0x4A4CCF: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1516)
==10085==    by 0x4AAC16: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:321)
==10085==    by 0x4AB9C9: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:507)
==10085==    by 0x41D5A9: JS_ExecuteScript (jsapi.cpp:5626)
==10085==  Address 0x433fca0 is not stack'd, malloc'd or (recently) free'd
Keywords: crash
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Whiteboard: [jsbugmon:update][fuzzblocker] → [jsbugmon:update][fuzzblocker][ion:p1:fx18]
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.