Closed Bug 739402 Opened 13 years ago Closed 13 years ago

IonMonkey: Crash [@ EnterIon] or [@ js::ion::Cannon] or [@ CheckStackQuota] or [@ js::mjit::stubs::HitStackQuota]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

stack
(deleted), text/plain
Details
vastly reduced version of the earlier testcase
(deleted), text/plain
Details
Attached file stack (deleted) —
The upcoming attached testcase crashes 32-bit js opt shell (compiled with --enable-more-deterministic) on IonMonkey changeset be41973873db with -m, -a, --ion and -n at EnterIon and js::ion::Cannon or CheckStackQuota and js::mjit::stubs::HitStackQuota
This does not seem to reproduce with debug shells.
Depends on: 735030
Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7fd3ee0 in ?? () #0 0x00007ffff7fd3ee0 in ?? () #1 0xfffafffff638e9e0 in ?? () #2 0x00007fffffffd568 in ?? () #3 0xfff880000000000a in ?? () #4 0xfff9000000000000 in ?? () #5 0x00007ffff7fecb52 in ?? () #6 0x0000000000000180 in ?? () #7 0x00007ffff6310b40 in ?? () #8 0x0000000000000001 in ?? () #9 0x00007fffffffd598 in ?? () #10 0xfff9000000000000 in ?? () #11 0xfffafffff638e9e0 in ?? () #12 0x00007ffff638e9e0 in ?? () #13 0x00007ffff7fe890c in ?? () #14 0x0000000000000081 in ?? () #15 0x00007ffff6310a80 in ?? () #16 0xfff9000000000000 in ?? () #17 0x00007fffffffd670 in ?? () #18 0x00007fffffffd790 in ?? () #19 0x000000000000ffff in ?? () #20 0x00007ffff7feca18 in ?? () #21 0x00007ffff65250b8 in ?? () #22 0x0000000000a55a90 in ?? () #23 0x00007fffffffd6b0 in ?? () #24 0x0000000000688cd0 in EnterIon (cx=0x1, fp=0x0, jitcode=0x7ffff65250b0) at /home/fuzz2lin/Desktop/jsfunfuzz-dbg-64-im-91657-55ab6c6d276a/compilePath/js/src/ion/Ion.cpp:964 Backtrace stopped: previous frame inner to this frame (corrupt stack?) Tested with 64-bit js opt shell on IonMonkey changeset 55ab6c6d276a with --ion and -n in Ubuntu Linux 11.10.
Version: Trunk → Other Branch
WFM as of IonMonkey changeset 72596946ff96.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: