Last Comment Bug 724579 - IonMonkey: Crash [@ js::ion::IonFrameIterator::checkInvalidation] or [@ js::ion::IonJSFrameLayout::calleeToken] or "Assertion failure: code->raw() == buffer,"
: IonMonkey: Crash [@ js::ion::IonFrameIterator::checkInvalidation] or [@ js::i...
Status: RESOLVED FIXED
: assertion, crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: David Anderson [:dvander]
:
Mentors:
: 724777 724798 724871 (view as bug list)
Depends on:
Blocks: jsfunfuzz IonFuzz
  Show dependency treegraph
 
Reported: 2012-02-06 09:39 PST by Gary Kwong [:gkw] [:nth10sd]
Modified: 2012-03-03 22:21 PST (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (3.45 KB, text/plain)
2012-02-06 09:39 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details
stacks (5.72 KB, text/plain)
2012-02-06 09:42 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details
first fix (2.50 KB, patch)
2012-02-06 14:58 PST, David Anderson [:dvander]
cdleary: review+
Details | Diff | Review
second fix (1.83 KB, patch)
2012-02-06 15:34 PST, David Anderson [:dvander]
bhackett1024: review+
Details | Diff | Review

Description Gary Kwong [:gkw] [:nth10sd] 2012-02-06 09:39:04 PST
Created attachment 594736 [details]
testcase

The attached testcase asserts js debug shell on IonMonkey changeset 43b55878da46 with -m, -a (yes, -a!), --ion and -n at Assertion failure: code->raw() == buffer. Without the -a flag, this crashes js opt shell at js::ion::IonFrameIterator::checkInvalidation
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2012-02-06 09:42:20 PST
Created attachment 594737 [details]
stacks
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2012-02-06 13:36:22 PST
I don't seem to get the assert anymore with -a using changeset a1fc5b03be76, but the crash still occurs without -a.
Comment 3 Gary Kwong [:gkw] [:nth10sd] 2012-02-06 13:37:41 PST
The crash in debug without -a is at js::ion::IonJSFrameLayout::calleeToken.
Comment 4 David Anderson [:dvander] 2012-02-06 14:58:57 PST
Created attachment 594830 [details] [diff] [review]
first fix

Two separate bugs here. The first one is that the invalidation bit on IonCode objects was only getting set on gc invalidation, but not normal invalidation.
Comment 5 David Anderson [:dvander] 2012-02-06 15:34:32 PST
Created attachment 594845 [details] [diff] [review]
second fix

The second bug is that we're invalidating inside ion::Bailout, which causes a lot of trouble since bailouts do not occur inside exit frames. Brian says we can just not run this if calling from Ion code.
Comment 7 David Anderson [:dvander] 2012-02-07 12:56:04 PST
*** Bug 724798 has been marked as a duplicate of this bug. ***
Comment 8 David Anderson [:dvander] 2012-02-07 12:59:39 PST
*** Bug 724871 has been marked as a duplicate of this bug. ***
Comment 9 David Anderson [:dvander] 2012-02-07 13:44:59 PST
*** Bug 724777 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.