Closed
Bug 854034
Opened 11 years ago
Closed 11 years ago
IonMonkey: Crash [@ js::CloneFunctionAtCallsite] or Assertion failure: hasScript(), at jsfun.h
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla22
Tracking | Status | |
---|---|---|
firefox19 | --- | unaffected |
firefox20 | --- | unaffected |
firefox21 | --- | unaffected |
firefox22 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
b2g18-v1.0.0 | --- | unaffected |
b2g18-v1.0.1 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update][adv-main22-])
Crash Data
Attachments
(2 files)
2.45 KB,
text/plain
|
Details | |
972 bytes,
patch
|
nmatsakis
:
review+
|
Details | Diff | Splinter Review |
try { [].some(ParallelArray.prototype.map) } catch (e) {} for (var z = 0; z < 9; z++) { [1].some(Float32Array) } crashes js opt shell on ionmonkey changeset f035cd0ee56e with --ion-eager at js::CloneFunctionAtCallsite and asserts js debug shell at Assertion failure: hasScript(), at jsfun.h s-s because there is a bunch of memory addresses on the stack.
Reporter | ||
Comment 1•11 years ago
|
||
I also tested this with a threadsafe and --enable-more-deterministic, not sure if the latter is needed.
Comment 2•11 years ago
|
||
This also asserts on mozilla-inbound. Seems to be related to revision a04dde344d24.
Summary: BaselineCompiler: Crash [@ js::CloneFunctionAtCallsite] or Assertion failure: hasScript(), at jsfun.h → IonMonkey: Crash [@ js::CloneFunctionAtCallsite] or Assertion failure: hasScript(), at jsfun.h
Comment 3•11 years ago
|
||
Attachment #728505 -
Flags: review?(nmatsakis)
Updated•11 years ago
|
Attachment #728505 -
Flags: review?(nmatsakis) → review+
Reporter | ||
Comment 4•11 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 125947:b00eb1ef1517 user: Nicholas D. Matsakis date: Tue Mar 19 22:12:27 2013 -0400 summary: Bug 829602 - Enable self-hosted parallelarray r=dvander,till
Reporter | ||
Comment 5•11 years ago
|
||
Only nightly is affected, this can likely go in without sec-approval.
status-b2g18:
--- → unaffected
status-b2g18-v1.0.0:
--- → unaffected
status-b2g18-v1.0.1:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox20:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox22:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox22:
--- → ?
Reporter | ||
Updated•11 years ago
|
Keywords: checkin-needed
Reporter | ||
Comment 6•11 years ago
|
||
(I've let djvj via IRC know that I'll be setting checkin-needed here to fix fuzzer issues, hope that this sticks)
Comment 7•11 years ago
|
||
Pushed: https://hg.mozilla.org/integration/mozilla-inbound/rev/6c50015e2073
Reporter | ||
Updated•11 years ago
|
Keywords: checkin-needed
Comment 8•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/6c50015e2073
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Comment 9•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•11 years ago
|
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main22-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•