Closed
Bug 782129
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash on heap near [@ js::mjit::ic::Call]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [ion:p1:fx18] [jsbugmon:update,ignore])
Crash Data
Attachments
(1 file)
1.36 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on ionmonkey revision f1764bf06b29 (run with --ion -n -m --ion-eager): var callStack = new Array(); function enterFunc (funcName) { funcName += "()"; callStack.push(funcName); } function exitFunc (funcName) { var lastFunc = callStack.pop(); funcName += "()"; if (lastFunc != funcName) reportCompare(); } try { test(); } catch(exc1) {} function test() { enterFunc ('test'); test(); } for (var l = 0; l < 50000; l++) exitFunc ('test');
Reporter | ||
Comment 1•12 years ago
|
||
Also happens on 64 bit. Crash info: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7f44145 in ?? () Missing separate debuginfos, use: debuginfo-install zlib-1.2.3-27.el6.x86_64 (gdb) bt #0 0x00007ffff7f44145 in ?? () #1 0x00007fffffffbfb0 in ?? () #2 0x00000000007f5c61 in js::mjit::ic::Call (f=..., ic=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/methodjit/MonoIC.cpp:1291 Backtrace stopped: previous frame inner to this frame (corrupt stack?) (gdb) x /i $pc => 0x7ffff7f44145: testl $0x7,(%rcx) (gdb) info reg rcx rcx 0x0 0
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
Comment 2•12 years ago
|
||
This is a type error. We assume that LArrayPopShiftT returns String, when this case goes through ion::ArrayPopDense() and returns UndefinedValue. Since the LIR is typed, we then load the Undefined payload 0x0 and segfault later during LCompareS.
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update][ion:p1:fx18] → [ion:p1:fx18] [jsbugmon:update,ignore]
Reporter | ||
Comment 3•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision a8235a2a29c2).
Comment 4•12 years ago
|
||
ion::ArrayPopDense() was correctly calling Monitor() if pop() resulted in an UndefinedValue, but the GetPcScript() function was returning a nonsensical PC when the Ion function was entered via a JM Ion-call IC.
Attachment #651594 -
Flags: review?(dvander)
Updated•12 years ago
|
Attachment #651594 -
Flags: review?(dvander) → review+
Comment 5•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/e244389fbfc4
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 6•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•