759306 - IonMonkey: Assertion failure: thing, at gc/Marking.cpp:85 or Crash [@ js::gc::Cell::compartment]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on ionmonkey revision 4ce3983a43f4 (run with --ion -n -m):


function assertEq(setter) {
        if (setter > 10)
            return {assertEq: 3.3};
        return {__proto__: assertEq(setter + 1)};
    }
function testX() {
  var x = 2;
  var local0 = x;
  return { local0: local0 };
}
var resultsX = testX();
assertEq(resultsX.local0, 2);
gczeal(2);
assertEq(new (Proxy.createFunction({}, function(){}, function(){})), undefined);

Comment 1

[Christian Holler (:decoder)]

Crash trace:


Program received signal SIGSEGV, Segmentation fault.
0x0804ca51 in js::gc::Cell::compartment (this=0x0) at ../../gc/Heap.h:970
970         return arenaHeader()->compartment;
(gdb) x /i $pc
=> 0x804ca51 <js::gc::Cell::compartment() const+17>:    mov    (%eax),%eax
(gdb) info reg eax
eax            0x0      0
(gdb) bt
#0  0x0804ca51 in js::gc::Cell::compartment (this=0x0) at ../../gc/Heap.h:970
#1  0x08337013 in js::gc::CheckMarkedThing<JSObject> (trc=0x87aae28, thing=0x0) at js/src/gc/Marking.cpp:86
#2  0x083358b4 in js::gc::MarkInternal<JSObject> (trc=0x87aae28, thingp=0xfffe01d0) at js/src/gc/Marking.cpp:108
#3  0x08333ee3 in js::gc::MarkRoot<JSObject> (trc=0x87aae28, thingp=0xfffe01d0, name=0x85c2794 "ion-vm-args") at js/src/gc/Marking.cpp:154
#4  0x0832fa0b in js::gc::MarkObjectRoot (trc=0x87aae28, thingp=0xfffe01d0, name=0x85c2794 "ion-vm-args") at js/src/gc/Marking.cpp:213
#5  0x08445f88 in MarkIonExitFrame (trc=0x87aae28, frame=...) at js/src/ion/IonFrames.cpp:497
#6  0x084460aa in MarkIonActivation (trc=0x87aae28, activations=...) at js/src/ion/IonFrames.cpp:530
#7  0x08446178 in js::ion::MarkIonActivations (rt=0x87aacb8, trc=0x87aae28) at js/src/ion/IonFrames.cpp:557
#8  0x0810886c in js::MarkRuntime (trc=0x87aae28, useSavedRoots=false) at js/src/jsgc.cpp:2348
#9  0x08109a7d in BeginMarkPhase (rt=0x87aacb8) at js/src/jsgc.cpp:3003
#10 0x0810adfe in NonIncrementalMark (rt=0x87aacb8, gckind=js::GC_NORMAL) at js/src/jsgc.cpp:3306
#11 0x0810be60 in GCCycle (rt=0x87aacb8, incremental=false, budget=0, gckind=js::GC_NORMAL) at js/src/jsgc.cpp:3660
#12 0x0810c37f in Collect (rt=0x87aacb8, incremental=false, budget=0, gckind=js::GC_NORMAL, reason=js::gcreason::DEBUG_GC) at js/src/jsgc.cpp:3769
#13 0x0810c514 in js::GC (rt=0x87aacb8, gckind=js::GC_NORMAL, reason=js::gcreason::DEBUG_GC) at js/src/jsgc.cpp:3793
#14 0x081066b5 in js::gc::RunLastDitchGC (cx=0x87cf570, reason=js::gcreason::DEBUG_GC) at js/src/jsgc.cpp:1668
#15 0x0810d133 in js::gc::RunDebugGC (cx=0x87cf570) at js/src/jsgc.cpp:4012
#16 0x080b1501 in js::gc::NewGCThing<JSObject> (cx=0x87cf570, kind=js::gc::FINALIZE_OBJECT4, thingSize=48) at ../jsgcinlines.h:413
#17 0x080a032e in js_NewGCObject (cx=0x87cf570, kind=js::gc::FINALIZE_OBJECT4) at ../jsgcinlines.h:459
#18 0x080a077b in js::NewObjectCache::newObjectFromHit (this=0x87bf750, cx=0x87cf570, entry_=11) at ../jscntxtinlines.h:125
#19 0x08189114 in js::NewObjectWithClassProto (cx=0x87cf570, clasp=0x87815c0, proto=0x0, parent=0xf7703040, kind=js::gc::FINALIZE_OBJECT4) at js/src/jsobj.cpp:2824
#20 0x080a3509 in js::NewBuiltinClassInstance (cx=0x87cf570, clasp=0x87815c0, kind=js::gc::FINALIZE_OBJECT4) at ../jsobjinlines.h:1445
#21 0x0849b384 in js::ion::NewInitObject (cx=0x87cf570, baseObj=..., type=0xf7700160) at js/src/ion/VMFunctions.cpp:239
#22 0x0041434a in ?? ()


Could be a null-deref only, but making this s-s until confirmed as the crash is GC-related.

Comment 2

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: fix

Comment 3

[David Anderson [:dvander] - inactive, e-mail if emergency]

http://hg.mozilla.org/projects/ionmonkey/rev/8b8884faad49

Comment 4

[Christian Holler (:decoder)]

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397