Closed Bug 854034 Opened 11 years ago Closed 11 years ago

IonMonkey: Crash [@ js::CloneFunctionAtCallsite] or Assertion failure: hasScript(), at jsfun.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 --- unaffected
firefox21 --- unaffected
firefox22 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected
b2g18-v1.0.0 --- unaffected
b2g18-v1.0.1 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update][adv-main22-])

Crash Data

Attachments

(2 files)

stacks
2.45 KB, text/plain
Details
Patch.
972 bytes, patch
nmatsakis
: review+
Details | Diff | Splinter Review
Attached file stacks 
try {
    [].some(ParallelArray.prototype.map)
} catch (e) {}
for (var z = 0; z < 9; z++) {
    [1].some(Float32Array)
}

crashes js opt shell on ionmonkey changeset f035cd0ee56e with --ion-eager at js::CloneFunctionAtCallsite and asserts js debug shell at Assertion failure: hasScript(), at jsfun.h

s-s because there is a bunch of memory addresses on the stack.
I also tested this with a threadsafe and --enable-more-deterministic, not sure if the latter is needed.
This also asserts on mozilla-inbound.  Seems to be related to revision a04dde344d24.
Summary: BaselineCompiler: Crash [@ js::CloneFunctionAtCallsite] or Assertion failure: hasScript(), at jsfun.h → IonMonkey: Crash [@ js::CloneFunctionAtCallsite] or Assertion failure: hasScript(), at jsfun.h
Attached patch Patch.Splinter Review 

        Attachment #728505 -
        Flags: review?(nmatsakis)

        Attachment #728505 -
        Flags: review?(nmatsakis) → review+

    
    

    
  
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   125947:b00eb1ef1517
user:        Nicholas D. Matsakis
date:        Tue Mar 19 22:12:27 2013 -0400
summary:     Bug 829602 - Enable self-hosted parallelarray r=dvander,till
Blocks: 829602, IonFuzz
No longer blocks: BaselineFuzz

    
    

    
  
Only nightly is affected, this can likely go in without sec-approval.

          status-b2g18:
          --- → unaffected

          status-b2g18-v1.0.0:
          --- → unaffected

          status-b2g18-v1.0.1:
          --- → unaffected

          status-firefox19:
          --- → unaffected

          status-firefox20:
          --- → unaffected

          status-firefox21:
          --- → unaffected

          status-firefox22:
          --- → affected

          status-firefox-esr17:
          --- → unaffected

          tracking-firefox22:
          --- → ?

    
    

    
  
(I've let djvj via IRC know that I'll be setting checkin-needed here to fix fuzzer issues, hope that this sticks)

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/6c50015e2073
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Status: RESOLVED → VERIFIED

    
    

    
  
JSBugMon: This bug has been automatically verified fixed.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main22-]
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: