Closed Bug 821788 Opened 7 years ago Closed 7 years ago

IonMonkey: Crash [@ js::EncapsulatedPtr<js::types::TypeObject, unsigned long>::operator->()] with gczeal(2)

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla20

People

(Reporter: decoder, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision b11065872128 (run with --ion-eager):


var appendToActual = function(s) {
    actual += s + ',';
}
gczeal(2,(3));
actual = '';
function loop(f) {}
function f(j, k) {
  var g = function(a, b, c) {}
  for (k = 0; k < 5; ++k)
    appendToActual(loop(g));
}
f(1);
Assignee: general → wmccloskey
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   115546:8275b86c0b62
user:        Brian Hackett
date:        Mon Dec 10 12:02:31 2012 -0700
summary:     Remove bytecode uses analysis, keep track of SSA values that were folded away when building MIR, bug 818869. r=jandem

This iteration took 0.316 seconds to run.
Brian, can you take a look at this per comment 1? Thanks :) Might be a dup to the other bug (bug 821794).
Blocks: IonFuzz
Flags: needinfo?(bhackett1024)
Summary: Crash [@ js::EncapsulatedPtr<js::types::TypeObject, unsigned long>::operator->()] with gczeal(2) → IonMonkey: Crash [@ js::EncapsulatedPtr<js::types::TypeObject, unsigned long>::operator->()] with gczeal(2)
Attached patch patchSplinter Review
This isn't exactly the same as bug 821794, but the two are very similar.  In both cases we were not marking operands of calls which were inlined as being folded, so that phis for the call or its this/arguments were being eliminated.  Since inlining decisions vary between compilations and affect what values are live/dead, these can never be eliminated.  This patch fixes the testcases in both bugs.
Assignee: wmccloskey → bhackett1024
Attachment #692736 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
NULL deref, doesn't affect any branches, not s-s.
Group: core-security
Duplicate of this bug: 821794
Duplicate of this bug: 821273
Attachment #692736 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/94bf149c73a3
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug821788.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.