1175535 - Assertion failure: !IsInsideNursery(ptr_), at c:\mozilla\builds\nightly\mozilla\js\src\jit/MIR.h:2862

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Carsten Book [:Tomcat]]

Attachment: bughunter stack

Found via bughunter and reproduced on a windows 7 debug with m-c tip 

Steps to reproduce:
-> Load http://www.paulsmith.co.jp/shop/men/shoes/products/1408098400CASE____

--> Assertion failure: !IsInsideNursery(ptr_), at c:\mozilla\builds\nightly\mozilla\js\src\jit/MIR.h:2862

Comment 1

[Carsten Book [:Tomcat]]

brian is this something for you ? filed as s-s just in case

Comment 2

[Brian Hackett [Laid off!]]

Attachment: patch

This is a bogus assert.  A nursery pointer found its way to AlwaysTenured, which asserts the pointer is not in the nursery, but the right state was set so that a minor GC would cancel this compilation so no bad behavior can result.

This patch changes AlwaysTenured to CompilerGCPointer and relaxes the assertions it does.  It also cleans up these assertions a bit, here as well as in MConstant, and removes some IsInsideNursery tests in IonBuilder that should only have been necessary to satisfy the AlwaysTenured requirements.

Comment 3

[Jan de Mooij [:jandem]]

Comment on attachment 8624331 [details] [diff] [review]
patch

Review of attachment 8624331 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/MIR.h
@@ +2862,3 @@
>        : ptr_(ptr)
>      {
> +        MOZ_ASSERT_IF(ptr && IsInsideNursery(ptr), IonCompilationCanUseNurseryPointers());

Nit: can remove the "ptr &&" check because IsInsideNursery is null-safe.

Comment 4

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/59c94503731a

Comment 5

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/59c94503731a