Closed
Bug 784652
Opened 12 years ago
Closed 12 years ago
IonMonkey: Opt-only crash on heap near [@ defaultValue]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:ignore][ion:p1:fx18])
Crash Data
Attachments
(1 file)
|
(deleted),
text/javascript
|
Details |
The attached testcase crashes on ionmonkey revision ab4f8a3762c6 (run with --ion -n -m --ion-eager).
|
Reporter | |
Comment 1•12 years ago
|
||
Only reproduces in an opt-build (and requires gczeal enabled there). Crash trace:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff070f920 in ?? ()
Missing separate debuginfos, use: debuginfo-install zlib-1.2.3-27.el6.x86_64
(gdb) bt
#0 0x00007ffff070f920 in ?? ()
#1 0x00000000004b9e93 in defaultValue (cx=0xacb660, v=..., out=0x7fffffffc238) at ../jsobjinlines.h:73
#2 ToPrimitive (cx=0xacb660, v=..., out=0x7fffffffc238) at ../jsobjinlines.h:1328
#3 js::ToNumberSlow (cx=0xacb660, v=..., out=0x7fffffffc238) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsnum.cpp:1393
#4 0x00000000004ba66d in js::ToInt32Slow (cx=<value optimized out>, v=<value optimized out>, out=0x7fffffffc258) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsnum.cpp:1449
#5 0x0000000000784abf in ToInt32 (cx=0xacb660, lhs=<value optimized out>, rhs=..., out=0x7fffffffc29c) at ../jsapi.h:2845
#6 js::BitXor (cx=0xacb660, lhs=<value optimized out>, rhs=..., out=0x7fffffffc29c) at ../jsinterpinlines.h:886
#7 0x00007ffff7f46c84 in ?? ()
#8 0x00007fffffffc2c8 in ?? ()
#9 0x00007fffffffc29c in ?? ()
#10 0x00007ffff0711d00 in ?? ()
#11 0x00007fffffffc2a0 in ?? ()
#12 0x0000000000ab6ca0 in js::ion::CodeGenerator::visitBitOpV(js::ion::LBitOpV*)::BitLhsInfo ()
#13 0x00007ffff0714128 in ?? ()
#14 0x00007ffff7f47481 in ?? ()
#15 0x0000000000000440 in ?? () at ../assembler/assembler/AssemblerBuffer.h:104
#16 0xfffbfffff0715fc0 in ?? ()
[...]
(gdb) x /i $pc
=> 0x7ffff070f920: mov $0x10,%al
(gdb) info reg al
al 0x20 32
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
|
|
Reporter | |
Comment 2•12 years ago
|
||
I tried reproducing this on mozilla-central fdfaef738a00 but failed. Also JSBugMon can't track this because it's an opt-only issue.
Whiteboard: [jsbugmon:update][ion:p1:fx18] → [jsbugmon:ignore][ion:p1:fx18]
Version: Other Branch → Trunk
|
||
Comment 3•12 years ago
|
||
Works for me, --enable-optimize --disable-debug --enable-gczeal, with --ion-eager.
Decoder, can you verify?
Christian, I can't reproduce this on the given cset either. Do we need some precise build flags, or should we get access to your test machine again?
|
|
Reporter | |
Comment 5•12 years ago
|
||
WFM on tip too, shall we just close this?
Yeah, sgtm.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•