Closed
Bug 854034
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ js::CloneFunctionAtCallsite] or Assertion failure: hasScript(), at jsfun.h
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla22
| Tracking | Status | |
|---|---|---|
| firefox19 | --- | unaffected |
| firefox20 | --- | unaffected |
| firefox21 | --- | unaffected |
| firefox22 | + | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
| b2g18-v1.0.0 | --- | unaffected |
| b2g18-v1.0.1 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update][adv-main22-])
Crash Data
Attachments
(2 files)
|
(deleted),
text/plain
|
Details | |
|
(deleted),
patch
|
nmatsakis
:
review+
|
Details | Diff | Splinter Review |
try {
[].some(ParallelArray.prototype.map)
} catch (e) {}
for (var z = 0; z < 9; z++) {
[1].some(Float32Array)
}
crashes js opt shell on ionmonkey changeset f035cd0ee56e with --ion-eager at js::CloneFunctionAtCallsite and asserts js debug shell at Assertion failure: hasScript(), at jsfun.h
s-s because there is a bunch of memory addresses on the stack.
|
Reporter | |
Comment 1•12 years ago
|
||
I also tested this with a threadsafe and --enable-more-deterministic, not sure if the latter is needed.
|
||
Comment 2•12 years ago
|
||
This also asserts on mozilla-inbound. Seems to be related to revision a04dde344d24.
Summary: BaselineCompiler: Crash [@ js::CloneFunctionAtCallsite] or Assertion failure: hasScript(), at jsfun.h → IonMonkey: Crash [@ js::CloneFunctionAtCallsite] or Assertion failure: hasScript(), at jsfun.h
|
|
||
Comment 3•12 years ago
|
||
Attachment #728505 -
Flags: review?(nmatsakis)
|
||
Updated•12 years ago
|
Attachment #728505 -
Flags: review?(nmatsakis) → review+
|
|
Reporter | |
Comment 4•12 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 125947:b00eb1ef1517
user: Nicholas D. Matsakis
date: Tue Mar 19 22:12:27 2013 -0400
summary: Bug 829602 - Enable self-hosted parallelarray r=dvander,till
|
|
Reporter | |
Comment 5•12 years ago
|
||
Only nightly is affected, this can likely go in without sec-approval.
status-b2g18:
--- → unaffected
status-b2g18-v1.0.0:
--- → unaffected
status-b2g18-v1.0.1:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox20:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox22:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox22:
--- → ?
|
|
Reporter | |
Updated•12 years ago
|
Keywords: checkin-needed
|
|
Reporter | |
Comment 6•12 years ago
|
||
(I've let djvj via IRC know that I'll be setting checkin-needed here to fix fuzzer issues, hope that this sticks)
|
|
||
Comment 7•12 years ago
|
||
|
|
Reporter | |
Updated•12 years ago
|
Keywords: checkin-needed
|
||
Comment 8•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
|
||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 9•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•12 years ago
|
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main22-]
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•