Closed
Bug 908625
Opened 12 years ago
Closed 12 years ago
Crash [@ js::ion::MBasicBlock::lastIns] or Opt-Crash [@ js::ion::MBasicBlock::getSuccessor] with try-catch compilation
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla26
People
(Reporter: decoder, Assigned: jandem)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(2 files)
|
1.06 KB,
text/plain
|
Details | |
|
2.05 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision fb2318875cd4 (threadsafe build, run with --fuzzing-safe --ion-compile-try-catch --ion-eager):
var a = [];
function gramps(a, i) {}
for (;;) {
try {
k++;
} catch(e) {
break;
}
}
for (var i = 0; i < 9; i++)
gramps(a, i);
|
Reporter | |
Comment 1•12 years ago
|
||
|
|
Reporter | |
Comment 2•12 years ago
|
||
Assigned to Jan because this is with --ion-compile-try-catch :)
Assignee: general → jdemooij
Blocks: 866888
|
Assignee | |
Comment 3•12 years ago
|
||
Ion does not compile catch blocks, so if the OSR pc is only reachable through a break statement inside a catch block, IonBuilder thinks it's unreachable. This patch just aborts for now since it's kind of an edge case.
(This bug seems to be the only remaining try-catch fuzz bug, will file a new bug to enable try-catch compilation by default.)
Attachment #795488 -
Flags: review?(bhackett1024)
|
||
Updated•12 years ago
|
Attachment #795488 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Comment 4•12 years ago
|
||
|
||
Comment 5•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in
before you can comment on or make changes to this bug.
Description
•