Closed
Bug 821788
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ js::EncapsulatedPtr<js::types::TypeObject, unsigned long>::operator->()] with gczeal(2)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
2.69 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision b11065872128 (run with --ion-eager):
var appendToActual = function(s) {
actual += s + ',';
}
gczeal(2,(3));
actual = '';
function loop(f) {}
function f(j, k) {
var g = function(a, b, c) {}
for (k = 0; k < 5; ++k)
appendToActual(loop(g));
}
f(1);
Assignee: general → wmccloskey
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•12 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 115546:8275b86c0b62 user: Brian Hackett date: Mon Dec 10 12:02:31 2012 -0700 summary: Remove bytecode uses analysis, keep track of SSA values that were folded away when building MIR, bug 818869. r=jandem This iteration took 0.316 seconds to run.
|
|
Reporter | |
Comment 2•12 years ago
|
||
Brian, can you take a look at this per comment 1? Thanks :) Might be a dup to the other bug (bug 821794).
Blocks: IonFuzz
Flags: needinfo?(bhackett1024)
Summary: Crash [@ js::EncapsulatedPtr<js::types::TypeObject, unsigned long>::operator->()] with gczeal(2) → IonMonkey: Crash [@ js::EncapsulatedPtr<js::types::TypeObject, unsigned long>::operator->()] with gczeal(2)
|
Assignee | |
Comment 3•12 years ago
|
||
This isn't exactly the same as bug 821794, but the two are very similar. In both cases we were not marking operands of calls which were inlined as being folded, so that phis for the call or its this/arguments were being eliminated. Since inlining decisions vary between compilations and affect what values are live/dead, these can never be eliminated. This patch fixes the testcases in both bugs.
Assignee: wmccloskey → bhackett1024
Attachment #692736 -
Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
|
|
Assignee | |
Comment 4•12 years ago
|
||
NULL deref, doesn't affect any branches, not s-s.
Group: core-security
|
||
Updated•12 years ago
|
Attachment #692736 -
Flags: review?(jdemooij) → review+
|
||
Updated•12 years ago
|
Keywords: checkin-needed
|
|
Assignee | |
Comment 7•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/94bf149c73a3
|
|
||
Updated•12 years ago
|
Keywords: checkin-needed
|
||
Comment 8•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/94bf149c73a3
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
|
|
Reporter | |
Comment 9•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug821788.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•