Closed Bug 488693 Opened 16 years ago Closed 16 years ago

TM: "Assertion failure: !JS_TRACE_MONITOR(cx).needFlush, at ../jstracer.cpp"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: gkw, Assigned: jorendorff)

References

Details

(4 keywords, Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files, 1 obsolete file)

interdiff v1 to v2
2.30 KB, patch
Details | Diff | Splinter Review
v2
11.51 KB, patch
gal
: review+
Details | Diff | Splinter Review
(new Function("for (var x = 0; x < 2; ++x) { gczeal(2)} "))() asserts dbg js shell with -j at Assertion failure: !JS_TRACE_MONITOR(cx).needFlush, at ../jstracer.cpp:4482 This is occurring very often with jsfunfuzz. autoBisect shows this is probably related to bug 487845 : The first bad revision is: changeset: 27192:4c157cfe2289 user: Jason Orendorff date: Tue Apr 14 08:45:37 2009 -0500 summary: Bug 487845 - TM: After deep-bailing, we can lirbuf->rewind() and then return to a dead code page. r=gal.
Flags: blocking1.9.1?
It is definitely due to the patch fingered in comment 0. There are two possibly easy fixes. 1. delete the assertion, since it's new and apparently bogus (afaik we didn't crash due to recording when the JIT cache is needFlush before) 2. after GC (that is, in js_GC and also when entering a request, since GC may have happened) if needFlush is set, purge the cache
Assignee: general → jorendorff
Attached patch v1 (obsolete) — Splinter Review
Attachment #373223 - Flags: review?(gal)
Comment on attachment 373223 [details] [diff] [review] v1 Looks good. We have some test coverage for cache flushing. As long tinderboxes are happy we should be good.
Attachment #373223 - Flags: review?(gal) → review+
http://hg.mozilla.org/tracemonkey/rev/a6071b1aa626
Whiteboard: fixed-in-tracemonkey
v1 wasn't flushing the JIT cache in all cases where js_CheckGlobalObjectShape returns false. v2 fixes that but also takes the opportunity to make a few more changes. Note in particular the last hunk. v1 inserted that "Even if there is a mismatch we can start recording" comment. I now claim that it's just a bug: we must give up recording there, because globalShape and globalSlots may not have been populated.
Attached patch v2Splinter Review
Attachment #373223 - Attachment is obsolete: true
Attachment #373377 - Flags: review?(gal)
Comment on attachment 373377 [details] [diff] [review] v2 Did you check for perf impact? (SS shell)
Attachment #373377 - Flags: review?(gal) → review+
(In reply to comment #5) > http://hg.mozilla.org/tracemonkey/rev/a6071b1aa626 caused js1_7/regress/regress-464403.js to Assertion failure: !tm->recorder, at ../jstracer.cpp:4395
js1_7/regress/regress-464403.js works with TM tip for me.
Flags: blocking1.9.1? → blocking1.9.1+
the failure went away when it was backed out by: http://hg.mozilla.org/tracemonkey/rev/a9e5683faba0 http://hg.mozilla.org/tracemonkey/rev/02918f4d3bcd the new patch http://hg.mozilla.org/tracemonkey/rev/34479ba0e4fb is different. I brought it up so the new patch could be tested to make sure it didn't have the same assertion. I don't see the assertion with tracemonkey tip now either.
http://hg.mozilla.org/mozilla-central/rev/34479ba0e4fb
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Keywords: fixed1.9.1
Flags: in-testsuite?
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: