Created attachment 594736 [details]
The attached testcase asserts js debug shell on IonMonkey changeset 43b55878da46 with -m, -a (yes, -a!), --ion and -n at Assertion failure: code->raw() == buffer. Without the -a flag, this crashes js opt shell at js::ion::IonFrameIterator::checkInvalidation
Created attachment 594737 [details]
I don't seem to get the assert anymore with -a using changeset a1fc5b03be76, but the crash still occurs without -a.
The crash in debug without -a is at js::ion::IonJSFrameLayout::calleeToken.
Created attachment 594830 [details] [diff] [review]
Two separate bugs here. The first one is that the invalidation bit on IonCode objects was only getting set on gc invalidation, but not normal invalidation.
Created attachment 594845 [details] [diff] [review]
The second bug is that we're invalidating inside ion::Bailout, which causes a lot of trouble since bailouts do not occur inside exit frames. Brian says we can just not run this if calling from Ion code.
*** Bug 724798 has been marked as a duplicate of this bug. ***
*** Bug 724871 has been marked as a duplicate of this bug. ***
*** Bug 724777 has been marked as a duplicate of this bug. ***