Closed Bug 821794 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash on Heap through [@ EnterIon]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 821788

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

The following testcase crashes on mozilla-central revision b11065872128 (run with --ion-eager):


gczeal(2);
function bitsinbyte() {
    var [ summary  ]  = true;
}
function TimeFunc(func) {
    for(var y=0; y<11000; y++)
        func();
}
TimeFunc(bitsinbyte);
Crashtrace: 

==12281== Invalid read of size 8
==12281==    at 0x403E100: ???
==12281==    by 0x89A960: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1527)
==12281==    by 0x89AD84: js::ion::SideCannon(JSContext*, js::StackFrame*, unsigned char*) (Ion.cpp:1599)
==12281==    by 0x539641: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1428)
==12281==    by 0x535645: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:346)
==12281==    by 0x5365D0: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:535)
==12281==    by 0x53682A: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:573)
==12281==    by 0x454C22: JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) (jsapi.cpp:5571)
==12281==    by 0x40A2F9: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:579)
==12281==    by 0x416B07: ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) (js.cpp:4913)
==12281==    by 0x416CF7: Shell(JSContext*, js::cli::OptionParser*, char**) (js.cpp:4950)
==12281==    by 0x417692: main (js.cpp:5153)
==12281==  Address 0x28 is not stack'd, malloc'd or (recently) free'd
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   115546:8275b86c0b62
user:        Brian Hackett
date:        Mon Dec 10 12:02:31 2012 -0700
summary:     Remove bytecode uses analysis, keep track of SSA values that were folded away when building MIR, bug 818869. r=jandem

This iteration took 0.345 seconds to run.
Brian, can you look at this per comment 2? Thanks :)
Blocks: IonFuzz
Flags: needinfo?(bhackett1024)
Summary: Crash on Heap through [@ EnterIon] → IonMonkey: Crash on Heap through [@ EnterIon]
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug821794.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.