808453 - IonMonkey: Crash on Heap with NULL-deref

Status: RESOLVED DUPLICATE of bug 807047

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision e9a9341e27ed (run with --ion-eager):


function testCALLELEM() {
    var x = [({}).operators];
    for (var i = 0; i < 5; ++i)
      y = x[i]();
}
testCALLELEM()

Comment 1

[Christian Holler (:decoder)]

Crash trace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7fe906c in ?? ()
(gdb) bt
#0  0x00007ffff7fe906c in ?? ()
#1  0xfffbfffff601c080 in ?? ()
#2  0x00007ffff601c080 in ?? ()
#3  0x0000000000000000 in ?? ()
(gdb) x /i $pc
=> 0x7ffff7fe906c:      mov    (%rax),%r8
(gdb) info reg rax
rax            0x0      0


Looks like a null-deref, but since this is a crash in JIT code without symbols, marking s-s until triaged.

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   111708:4a2c17905a17
user:        Nicolas B. Pierron
date:        Mon Oct 29 14:48:45 2012 -0700
summary:     Bug 792631 - Add IC for missing properties. r=dvander

This iteration took 0.464 seconds to run.

Comment 3

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision f4aeed115e54).

Comment 4

[Christian Holler (:decoder)]

JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   112365:197b182baf4f
user:        Nicolas B. Pierron
date:        Mon Nov 05 16:40:41 2012 -0800
summary:     Bug 807047 - Only use missing property cache on non-idempotent IC. r=jandem

This iteration took 0.203 seconds to run.