Closed Bug 842025 Opened 12 years ago Closed 12 years ago

crash in js::ion::IonBuilder::getTypedArrayLength

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
21 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 841462
Tracking Flags:
Tracking Status
firefox20 --- unaffected
firefox21 + fixed

People

(Reporter: scoobidiver, Unassigned)

References

(
URL
)

Details

(Keywords: crash, regression, reproducible)

Crash Data

Attachments

(2 files)

reduced test case
277 bytes, application/javascript
Details
patch
1.12 KB, patch
Details | Diff | Splinter Review
It first showed up in 21.0a1/20130215. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=aceeea086ccb&tochange=953b1db7a246 Signature js::ion::IonBuilder::getTypedArrayLength(js::ion::MDefinition*) More Reports Search UUID 63f11f83-523f-4d74-a90e-aa35c2130216 Date Processed 2013-02-16 12:52:16 Uptime 40 Last Crash 7.8 minutes before submission Install Age 20.4 hours since version was first installed. Install Time 2013-02-15 16:28:00 Product Firefox Version 21.0a1 Build ID 20130215031040 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info AuthenticAMD family 16 model 10 stepping 0 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x38 User Comments http://www.scirra.com/labs/raindemo/ App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x11c6, AdapterSubsysID: 35571458, AdapterDriverVersion: 9.18.13.1396 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ WebGL? EGL? EGL+ GL Context? GL Context+ WebGL+ Processor Notes sp-processor04.phx1.mozilla.com_18912:2008 EMCheckCompatibility True Adapter Vendor ID 0x10de Adapter Device ID 0x11c6 Total Virtual Memory 4294836224 Available Virtual Memory 3699724288 System Memory Use Percentage 36 Available Page File 2889662464 Available Physical Memory 2708045824 Frame Module Signature Source 0 mozjs.dll js::ion::IonBuilder::getTypedArrayLength js/src/ion/IonBuilder.cpp:5441 1 mozjs.dll js::ion::IonBuilder::jsop_getelem_typed js/src/ion/IonBuilder.cpp:5512 2 mozjs.dll js::ion::IonBuilder::jsop_getelem js/src/ion/IonBuilder.cpp:5302 3 mozjs.dll js::ion::IonBuilder::inspectOpcode js/src/ion/IonBuilder.cpp:1016 4 mozjs.dll js::ion::IonBuilder::traverseBytecode js/src/ion/IonBuilder.cpp:687 5 mozjs.dll js::ion::IonBuilder::buildInline js/src/ion/IonBuilder.cpp:486 6 mozjs.dll js::ion::IonBuilder::inlineScriptedCall js/src/ion/IonBuilder.cpp:2910 7 mozjs.dll js::ion::IonBuilder::inlineScriptedCalls js/src/ion/IonBuilder.cpp:3391 8 mozjs.dll js::ion::IonBuilder::jsop_call js/src/ion/IonBuilder.cpp:4031 9 mozjs.dll js::ion::IonBuilder::inspectOpcode js/src/ion/IonBuilder.cpp:940 ... 22 mozjs.dll js::ion::IonBuilder::traverseBytecode js/src/ion/IonBuilder.cpp:687 23 mozjs.dll js::ion::IonBuilder::build js/src/ion/IonBuilder.cpp:349 24 mozjs.dll js::ion::SequentialCompileContext::compile js/src/ion/Ion.cpp:1223 25 mozjs.dll js::ion::IonCompile<js::ion::SequentialCompileContext> js/src/ion/Ion.cpp:1184 26 mozjs.dll js::ion::Compile<js::ion::SequentialCompileContext> js/src/ion/Ion.cpp:1398 27 mozjs.dll js::ion::CanEnter js/src/ion/Ion.cpp:1498 28 mozjs.dll js::mjit::stubs::TriggerIonCompile js/src/methodjit/StubCalls.cpp:812 29 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:1042 30 mozjs.dll CheckStackAndEnterMethodJIT js/src/methodjit/MethodJIT.cpp:1100 31 mozjs.dll js::Interpret js/src/jsinterp.cpp:1375 32 mozjs.dll js::RunScript js/src/jsinterp.cpp:316 33 mozjs.dll mozjs.dll@0x5da00 34 @0x11b00000 35 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:1042 36 mozjs.dll js::ion::Compile<js::ion::SequentialCompileContext> js/src/ion/Ion.cpp:1371 37 mozjs.dll CheckStackAndEnterMethodJIT js/src/methodjit/MethodJIT.cpp:1100 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3Aion%3A%3AIonBuilder%3A%3AgetTypedArrayLength%28js%3A%3Aion%3A%3AMDefinition*%29
Maybe this is related to Bug 837076
Looks like during inlining of functions, we sometimes end up with code where we infer as a typed array read, but the constant value we are accessing is |undefined| and not a typed array.
Attached file reduced test case
Attached patch patchSplinter Review
Yeah, we'll generate the typed array accesses if the value is guaranteed to be a typed array provided it is an object. If the value is constant (i.e. Ion has more information than TI due to inlining) then it is still not guaranteed to be an object.
Attachment #714800 - Flags: review?(dvander)
Blocks: 832578
Crash Signature: [@ js::ion::IonBuilder::getTypedArrayLength(js::ion::MDefinition*)] → [@ js::ion::IonBuilder::getTypedArrayLength(js::ion::MDefinition*)] [@ js::TypedArray::lengthValue(JSObject*)] [@ js::TypedArray::length(JSObject*)]
tracking-firefox21: --- → ?
Keywords: regressionwindow-wanted
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: