Closed Bug 883626 Opened 11 years ago Closed 11 years ago

Crash [@ js::ion::GetPcScript]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24

People

(Reporter: gkw, Assigned: h4writer)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

stack
18.45 KB, text/plain
Details
Patch
663 bytes, patch
luke
: review+
Details | Diff | Splinter Review
Attached file stack 
x = (function() {
    yield
})()
Array.prototype.unshift.call(x, x);
Array.prototype.unshift.call(x, /x/)
Array.prototype.sort.call(x, (function(t, foreign) {
    "use asm";
    var ff = foreign.ff
    function f() {
        return +ff()
    }
    return f
})(this, {
    ff: SyntaxError
}))


crashes js debug and opt shell on m-c changeset 36da3cb92193 without any CLI arguments at js::ion::GetPcScript (opt shell crashes at a near NULL deref).

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/05bf9122d234
user:        Benjamin Bouvier
date:        Thu Jun 13 11:47:09 2013 -0700
summary:     Bug 882514: Don't try to enable Ion on functions with no script; r=h4writer
Flags: needinfo?(bbouvier)
The asm function doesn't have to be called through sort.  This also crashes:

(function(t, foreign) {
    "use asm";
    var ff = foreign.ff
    function f() {
        return +ff()
    }
    return f
})(this, {
    ff: SyntaxError
})()
Crash Signature: [@ js::ion::GetPcScript] → [@ js::ion::GetPcScript(JSContext*, JSScript**, unsigned char**)]
I can reproduce the crash
bp-af183c46-a39c-474c-9bb9-6365f2130616

Steps to reproduce:
1. Install https://addons.mozilla.org/en-US/firefox/addon/execute-js/?src=search and restart
2. Alt > Tools > Open Execute JS
3. Paste JS code of comment #0 to upper-left pane
4. Click Execute button

Actual Results:
Crash

Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/6f52e55ac5be
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130612 Firefox/24.0 ID:20130612124657
Crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/2810e80e1393
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130612 Firefox/24.0 ID:20130612130058
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=6f52e55ac5be&tochange=2810e80e1393

Triggered by:
2810e80e1393	Hannes Verschore — Bug 860838: OdinMonkey: Optimize FFI calls to ionmonkey, r=luke


And following builds also craches, So, it is different regression range in comment #0.
http://hg.mozilla.org/integration/mozilla-inbound/rev/03e03ea1a842
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130613 Firefox/24.0 ID:20130613104608
http://hg.mozilla.org/integration/mozilla-inbound/rev/05bf9122d234
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130613 Firefox/24.0 ID:20130613114805
I'll take this bug. I have an idea where the fault located is. It is not a fall-out from bug 860838, but from the original bug 860838.
Assignee: general → hv1989
Blocks: 860838
Flags: needinfo?(bbouvier)
*not a fall-out from bug 882514
Attached patch PatchSplinter Review 
This fixes the problem here. Gonna quickly check if there are more places where we hit this.
Attachment #764168 - Flags: review?(luke)
Attachment #764168 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/e4dd6f0845c5
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: