Closed
Bug 833076
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: script->types, at ../jsinferinlines.h:992 or Crash [@ js_CreateThisForFunctionWithProto]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla22
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update][qa-])
Crash Data
Attachments
(1 file)
|
1.15 KB,
patch
|
jandem
:
review+
bajaj
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 4919e8091542 (run with --ion-eager):
eval("(function() { " + "\
var Constr = function( ... property) {};\
Constr.prototype = 0.0;\
var c = new Constr( ) ;\
" + " })();");
|
Reporter | |
Comment 1•12 years ago
|
||
Crash looks harmless:
==4558== Invalid read of size 4
==4558== at 0x4D8691: js_CreateThisForFunctionWithProto(JSContext*, JS::Handle<JSObject*>, JSObject*) (jsobj.cpp:4840)
==4558== by 0x4D8B8E: js_CreateThisForFunction(JSContext*, JS::Handle<JSObject*>, bool) (jsobj.cpp:1452)
==4558== by 0x788DB1: js::ion::CreateThis(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) (VMFunctions.cpp:503)
==4558== by 0x4029765: ???
==4558== by 0x6EC7A1: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1578)
==4558== by 0x4B162D: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2415)
==4558== by 0x4B3AAA: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:348)
==4558== by 0x4B3D04: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:537)
==4558== by 0x616D3A: EvalKernel(JSContext*, JS::CallArgs const&, EvalType, js::StackFrame*, JS::Handle<JSObject*>) (Eval.cpp:286)
==4558== by 0x618148: js::DirectEval(JSContext*, JS::CallArgs const&) (Eval.cpp:337)
==4558== by 0x4AE3A5: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2334)
==4558== by 0x4B3AAA: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:348)
==4558== Address 0x48 is not stack'd, malloc'd or (recently) free'd
Blocks: IonFuzz
Crash Signature: [@ js_CreateThisForFunctionWithProto]
Keywords: crash
Summary: Assertion failure: script->types, at ../jsinferinlines.h:992 or Crash [@ js_CreateThisForFunctionWithProto] → IonMonkey: Assertion failure: script->types, at ../jsinferinlines.h:992 or Crash [@ js_CreateThisForFunctionWithProto]
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 2•12 years ago
|
||
JSBugMon: Bisection requested, failed due to error (try manually).
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•12 years ago
|
||
JSBugMon: Bisection requested, failed due to error (try manually).
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
|
|
Reporter | |
Comment 4•12 years ago
|
||
JSBugMon: Cannot process bug: Unknown exception (check manually)
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 5•12 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 119380:88daef90f2ab
user: Brian Hackett
date: Sun Jan 20 02:49:21 2013 -0700
summary: Bug 821361 - Optimize type information in closures that only run once, r=luke.
This iteration took 111.004 seconds to run.
|
|
Reporter | |
Comment 6•12 years ago
|
||
Brian or Luke, can you take a look?
|
Assignee | |
Comment 7•12 years ago
|
||
Preexisting issue, though I don't think it was possible to hit before bug 821361.
Assignee: general → bhackett1024
Attachment #725767 -
Flags: review?(jdemooij)
|
||
Updated•12 years ago
|
Attachment #725767 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 8•12 years ago
|
||
|
|
Assignee | |
Comment 9•12 years ago
|
||
Comment on attachment 725767 [details] [diff] [review]
patch
[Approval Request Comment]
Bug caused by (feature/regressing bug #): old, recently exposed
User impact if declined: potential null crash
Risk to taking this patch (and alternatives if risky): none
Attachment #725767 -
Flags: approval-mozilla-aurora?
|
||
Comment 10•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
|
||
Comment 11•12 years ago
|
||
Comment on attachment 725767 [details] [diff] [review]
patch
low risk patch, avoids null crash.Approving for uplift
Attachment #725767 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Comment 12•12 years ago
|
||
status-firefox21:
--- → fixed
status-firefox22:
--- → fixed
|
||
Comment 13•12 years ago
|
||
is there any manual verification needed, considering the automated test that is available?
|
|
Reporter | |
Comment 14•12 years ago
|
||
No verification needed as the test has been landed (and also uplifted).
Status: RESOLVED → VERIFIED
|
||
Comment 15•12 years ago
|
||
Marking [qa-] as per comment 14. Please remove this whiteboard tag and add the qawanted keyword if some testing is needed.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•