Closed
Bug 852342
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: live->empty(), at ion/LiveRangeAllocator.cpp:780 or Crash on Heap or Crash [@ GetValueType]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla22
Tracking | Status | |
---|---|---|
firefox20 | --- | unaffected |
firefox21 | --- | unaffected |
firefox22 | --- | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: decoder, Assigned: nbp)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore][adv-main22-])
Crash Data
Attachments
(1 file)
4.32 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision b03bb3ce8cee (run with --ion-eager):
function A(a) { }
function B(b) { this.b = b; }
function C(c) {}
function makeArray(n) {
var classes = [A, B, C];
var arr = [];
for (var i = (" "); i < n; i++) {
arr.push(new classes[i % 3](i % 3));
}
}
var arr = makeArray(30000);
Reporter | ||
Comment 1•12 years ago
|
||
A slightly less reduced version just crashed on the heap, this one now crashes differently in opt:
Program received signal SIGSEGV, Segmentation fault.
GetValueType (val=..., cx=<optimized out>) at ../jsinferinlines.h:218
218 return Type::ObjectType(&val.toObject());
(gdb) bt
#0 GetValueType (val=..., cx=<optimized out>) at ../jsinferinlines.h:218
#1 GetValueType (val=..., cx=<optimized out>) at /srv/repos/mozilla-central/js/src/jsinfer.cpp:3705
#2 js::types::TypeObject::addPropertyType (this=0xf741e460, cx=0x85ea608, id=JSID_VOID, value=...) at /srv/repos/mozilla-central/js/src/jsinfer.cpp:3707
#3 0x080753c8 in AddTypePropertyId (value=..., id=JSID_VOID, obj=(JSObject *) 0xf742e150 [object Array], cx=0x85ea608) at ../jsinferinlines.h:619
#4 JSObject::setDenseElementWithType (cx=0x85ea608, obj=(JSObject * const) 0xf742e150 [object Array], idx=6, val=...) at ../jsobjinlines.h:472
#5 0x0807f206 in array_push1_dense (args=..., obj=(JSObject * const) 0xf742e150 [object Array], cx=0x85ea608) at /srv/repos/mozilla-central/js/src/jsarray.cpp:1701
#6 js::array_push (cx=0x85ea608, argc=1, vp=0xffffc5f0) at /srv/repos/mozilla-central/js/src/jsarray.cpp:1741
#7 0x08403853 in js::ion::ArrayPushDense (cx=0x85ea608, obj=(JSObject * const) 0xf742e150 [object Array], v=$jsval(-nan(0xfff8700000000)), length=0xffffc65c)
at /srv/repos/mozilla-central/js/src/ion/VMFunctions.cpp:330
#8 0xf7fc94d1 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x /i $pc
=> 0x80db7aa <js::types::TypeObject::addPropertyType(JSContext*, int, JS::Value const&)+202>: mov 0x4(%edi),%eax
(gdb) info reg edi
edi 0x0 0
Probably a null-deref but I don't know because of the heap crash. Leaving s-s until confirmed to be harmless.
Crash Signature: [@ GetValueType]
Keywords: crash
Summary: IonMonkey: Assertion failure: live->empty(), at ion/LiveRangeAllocator.cpp:780 or Crash on Heap → IonMonkey: Assertion failure: live->empty(), at ion/LiveRangeAllocator.cpp:780 or Crash on Heap or Crash [@ GetValueType]
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 2•12 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 122585:437c955ff06d
user: Nicolas B. Pierron
date: Wed Jan 30 07:41:01 2013 -0800
summary: Bug 796114 - Inline with type-checked arguments. r=h4writer
This iteration took 14.199 seconds to run.
Reporter | ||
Comment 3•12 years ago
|
||
Yet another one Nicolas :)
Blocks: IonFuzz
Flags: needinfo?(nicolas.b.pierron)
Assignee | ||
Comment 4•12 years ago
|
||
Ah, finally a different one. The issue is that callInfo content is mutated to update the arguments in function of the callee. This is causing problems with poly-inline where the first function has some excluded types.
Assignee: general → nicolas.b.pierron
Blocks: 796114
Status: NEW → ASSIGNED
Flags: needinfo?(nicolas.b.pierron)
Assignee | ||
Comment 5•12 years ago
|
||
Attachment #726992 -
Flags: review?(hv1989)
Updated•12 years ago
|
Attachment #726992 -
Flags: review?(hv1989) → review+
Assignee | ||
Comment 6•12 years ago
|
||
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox20:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox22:
--- → affected
status-firefox-esr17:
--- → unaffected
Keywords: sec-high
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 7•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision a73a2b5c423b).
Comment 8•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 9•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main22-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•