Closed
Bug 779837
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: pred->stackDepth() == entryResumePoint()->stackDepth(), at ion/MIRGraph.cpp:637 or Crash [@ js::ion::MPhi::addInput]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 779813
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update][fuzzblocker][ion:p1:fx18])
The following testcase asserts on ionmonkey revision 2169bca0c9a5 (run with --ion -n): function testMethodInit() { function o() {} function k() {} for (var i = 0; i < 100000; ++i, Math.tan()) x = {o: o, k: k}; } testMethodInit();
Reporter | ||
Comment 1•12 years ago
|
||
A lot of failures keep morphing into this one, marking as a fuzzblocker. Crash also looks dangerous, but similar to previously filed bugs, so these might be dups: ==10085== Invalid write of size 8 ==10085== at 0x77B80D: js::ion::MPhi::addInput(js::ion::MDefinition*) (Vector.h:790) ==10085== by 0x71B1D7: js::ion::MBasicBlock::setBackedge(js::ion::MBasicBlock*) (MIRGraph.cpp:661) ==10085== by 0x6D1C83: js::ion::IonBuilder::finishLoop(js::ion::IonBuilder::CFGState&, js::ion::MBasicBlock*) (IonBuilder.cpp:1303) ==10085== by 0x6E4577: js::ion::IonBuilder::traverseBytecode() (IonBuilder.cpp:1112) ==10085== by 0x6E62ED: js::ion::IonBuilder::build() (IonBuilder.cpp:344) ==10085== by 0x6C10DB: js::ion::BuildMIR(js::ion::IonBuilder&, js::ion::MIRGraph&) (Ion.cpp:692) ==10085== by 0x6C4843: bool js::ion::IonCompile<&(js::ion::TestCompiler(js::ion::IonBuilder&, js::ion::MIRGraph&))>(JSContext*, JSScript*, JSFunction*, unsigned char*, bool) (Ion.cpp:839) ==10085== by 0x6C4C4B: js::ion::CanEnterAtBranch(JSContext*, JSScript*, js::StackFrame*, unsigned char*) (Ion.cpp:992) ==10085== by 0x4A4CCF: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1516) ==10085== by 0x4AAC16: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:321) ==10085== by 0x4AB9C9: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:507) ==10085== by 0x41D5A9: JS_ExecuteScript (jsapi.cpp:5626) ==10085== Address 0x433fca0 is not stack'd, malloc'd or (recently) free'd
Keywords: crash
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Updated•12 years ago
|
Whiteboard: [jsbugmon:update][fuzzblocker] → [jsbugmon:update][fuzzblocker][ion:p1:fx18]
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•