Closed Bug 852342 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: live->empty(), at ion/LiveRangeAllocator.cpp:780 or Crash on Heap or Crash [@ GetValueType]

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla22
Tracking Status
firefox20 --- unaffected
firefox21 --- unaffected
firefox22 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Assigned: nbp)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update,ignore][adv-main22-])

Crash Data

Attachments

(1 file)

The following testcase asserts on mozilla-central revision b03bb3ce8cee (run with --ion-eager): function A(a) { } function B(b) { this.b = b; } function C(c) {} function makeArray(n) { var classes = [A, B, C]; var arr = []; for (var i = (" "); i < n; i++) { arr.push(new classes[i % 3](i % 3)); } } var arr = makeArray(30000);
A slightly less reduced version just crashed on the heap, this one now crashes differently in opt: Program received signal SIGSEGV, Segmentation fault. GetValueType (val=..., cx=<optimized out>) at ../jsinferinlines.h:218 218 return Type::ObjectType(&val.toObject()); (gdb) bt #0 GetValueType (val=..., cx=<optimized out>) at ../jsinferinlines.h:218 #1 GetValueType (val=..., cx=<optimized out>) at /srv/repos/mozilla-central/js/src/jsinfer.cpp:3705 #2 js::types::TypeObject::addPropertyType (this=0xf741e460, cx=0x85ea608, id=JSID_VOID, value=...) at /srv/repos/mozilla-central/js/src/jsinfer.cpp:3707 #3 0x080753c8 in AddTypePropertyId (value=..., id=JSID_VOID, obj=(JSObject *) 0xf742e150 [object Array], cx=0x85ea608) at ../jsinferinlines.h:619 #4 JSObject::setDenseElementWithType (cx=0x85ea608, obj=(JSObject * const) 0xf742e150 [object Array], idx=6, val=...) at ../jsobjinlines.h:472 #5 0x0807f206 in array_push1_dense (args=..., obj=(JSObject * const) 0xf742e150 [object Array], cx=0x85ea608) at /srv/repos/mozilla-central/js/src/jsarray.cpp:1701 #6 js::array_push (cx=0x85ea608, argc=1, vp=0xffffc5f0) at /srv/repos/mozilla-central/js/src/jsarray.cpp:1741 #7 0x08403853 in js::ion::ArrayPushDense (cx=0x85ea608, obj=(JSObject * const) 0xf742e150 [object Array], v=$jsval(-nan(0xfff8700000000)), length=0xffffc65c) at /srv/repos/mozilla-central/js/src/ion/VMFunctions.cpp:330 #8 0xf7fc94d1 in ?? () Backtrace stopped: previous frame inner to this frame (corrupt stack?) (gdb) x /i $pc => 0x80db7aa <js::types::TypeObject::addPropertyType(JSContext*, int, JS::Value const&)+202>: mov 0x4(%edi),%eax (gdb) info reg edi edi 0x0 0 Probably a null-deref but I don't know because of the heap crash. Leaving s-s until confirmed to be harmless.
Crash Signature: [@ GetValueType]
Keywords: crash
Summary: IonMonkey: Assertion failure: live->empty(), at ion/LiveRangeAllocator.cpp:780 or Crash on Heap → IonMonkey: Assertion failure: live->empty(), at ion/LiveRangeAllocator.cpp:780 or Crash on Heap or Crash [@ GetValueType]
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 122585:437c955ff06d user: Nicolas B. Pierron date: Wed Jan 30 07:41:01 2013 -0800 summary: Bug 796114 - Inline with type-checked arguments. r=h4writer This iteration took 14.199 seconds to run.
Yet another one Nicolas :)
Blocks: IonFuzz
Flags: needinfo?(nicolas.b.pierron)
Ah, finally a different one. The issue is that callInfo content is mutated to update the arguments in function of the callee. This is causing problems with poly-inline where the first function has some excluded types.
Assignee: general → nicolas.b.pierron
Blocks: 796114
Status: NEW → ASSIGNED
Flags: needinfo?(nicolas.b.pierron)
Attachment #726992 - Flags: review?(hv1989) → review+
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision a73a2b5c423b).
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main22-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: