Closed Bug 784652 Opened 12 years ago Closed 12 years ago

IonMonkey: Opt-only crash on heap near [@ defaultValue]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:ignore][ion:p1:fx18])

Crash Data

Attachments

(1 file)

Testcase for shell
1.03 KB, text/javascript
Details
Attached file Testcase for shell 
The attached testcase crashes on ionmonkey revision ab4f8a3762c6 (run with --ion -n -m --ion-eager).
Only reproduces in an opt-build (and requires gczeal enabled there). Crash trace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff070f920 in ?? ()
Missing separate debuginfos, use: debuginfo-install zlib-1.2.3-27.el6.x86_64
(gdb) bt
#0  0x00007ffff070f920 in ?? ()
#1  0x00000000004b9e93 in defaultValue (cx=0xacb660, v=..., out=0x7fffffffc238) at ../jsobjinlines.h:73
#2  ToPrimitive (cx=0xacb660, v=..., out=0x7fffffffc238) at ../jsobjinlines.h:1328
#3  js::ToNumberSlow (cx=0xacb660, v=..., out=0x7fffffffc238) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsnum.cpp:1393
#4  0x00000000004ba66d in js::ToInt32Slow (cx=<value optimized out>, v=<value optimized out>, out=0x7fffffffc258) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsnum.cpp:1449
#5  0x0000000000784abf in ToInt32 (cx=0xacb660, lhs=<value optimized out>, rhs=..., out=0x7fffffffc29c) at ../jsapi.h:2845
#6  js::BitXor (cx=0xacb660, lhs=<value optimized out>, rhs=..., out=0x7fffffffc29c) at ../jsinterpinlines.h:886
#7  0x00007ffff7f46c84 in ?? ()
#8  0x00007fffffffc2c8 in ?? ()
#9  0x00007fffffffc29c in ?? ()
#10 0x00007ffff0711d00 in ?? ()
#11 0x00007fffffffc2a0 in ?? ()
#12 0x0000000000ab6ca0 in js::ion::CodeGenerator::visitBitOpV(js::ion::LBitOpV*)::BitLhsInfo ()
#13 0x00007ffff0714128 in ?? ()
#14 0x00007ffff7f47481 in ?? ()
#15 0x0000000000000440 in ?? () at ../assembler/assembler/AssemblerBuffer.h:104
#16 0xfffbfffff0715fc0 in ?? ()
[...]
(gdb) x /i $pc
=> 0x7ffff070f920:      mov    $0x10,%al
(gdb) info reg al
al             0x20     32
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
I tried reproducing this on mozilla-central fdfaef738a00 but failed. Also JSBugMon can't track this because it's an opt-only issue.
Whiteboard: [jsbugmon:update][ion:p1:fx18] → [jsbugmon:ignore][ion:p1:fx18]
Version: Other Branch → Trunk
Works for me, --enable-optimize --disable-debug --enable-gczeal, with --ion-eager.
Decoder, can you verify?
Christian, I can't reproduce this on the given cset either. Do we need some precise build flags, or should we get access to your test machine again?
WFM on tip too, shall we just close this?
Yeah, sgtm.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: