Note: There are a few cases of duplicates in user autocompletion which are being worked on.

IonMonkey: Crash [@ js::ion::IonFrameIterator::checkInvalidation] or [@ js::ion::IonJSFrameLayout::calleeToken] or "Assertion failure: code->raw() == buffer,"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: gkw, Assigned: dvander)

Tracking

(Blocks: 2 bugs, {assertion, crash, testcase})

Trunk
x86
Mac OS X
assertion, crash, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(4 attachments)

(Reporter)

Description

6 years ago
Created attachment 594736 [details]
testcase

The attached testcase asserts js debug shell on IonMonkey changeset 43b55878da46 with -m, -a (yes, -a!), --ion and -n at Assertion failure: code->raw() == buffer. Without the -a flag, this crashes js opt shell at js::ion::IonFrameIterator::checkInvalidation
(Reporter)

Comment 1

6 years ago
Created attachment 594737 [details]
stacks
(Reporter)

Comment 2

6 years ago
I don't seem to get the assert anymore with -a using changeset a1fc5b03be76, but the crash still occurs without -a.
(Reporter)

Comment 3

6 years ago
The crash in debug without -a is at js::ion::IonJSFrameLayout::calleeToken.
Crash Signature: [@ js::ion::IonFrameIterator::checkInvalidation] → [@ js::ion::IonJSFrameLayout::calleeToken] [@ js::ion::IonFrameIterator::checkInvalidation]
Summary: IonMonkey: Crash [@ js::ion::IonFrameIterator::checkInvalidation] or "Assertion failure: code->raw() == buffer," → IonMonkey: Crash [@ js::ion::IonFrameIterator::checkInvalidation] or [@ js::ion::IonJSFrameLayout::calleeToken] or "Assertion failure: code->raw() == buffer,"
(Assignee)

Comment 4

6 years ago
Created attachment 594830 [details] [diff] [review]
first fix

Two separate bugs here. The first one is that the invalidation bit on IonCode objects was only getting set on gc invalidation, but not normal invalidation.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #594830 - Flags: review?
(Assignee)

Updated

6 years ago
Attachment #594830 - Attachment description: :cdleary → first fix
Attachment #594830 - Flags: review? → review?(christopher.leary)
(Assignee)

Comment 5

6 years ago
Created attachment 594845 [details] [diff] [review]
second fix

The second bug is that we're invalidating inside ion::Bailout, which causes a lot of trouble since bailouts do not occur inside exit frames. Brian says we can just not run this if calling from Ion code.
Attachment #594845 - Flags: review?(bhackett1024)
Attachment #594845 - Flags: review?(bhackett1024) → review+
Attachment #594830 - Flags: review?(christopher.leary) → review+
(Assignee)

Comment 6

6 years ago
http://hg.mozilla.org/projects/ionmonkey/rev/88c7a495402a
http://hg.mozilla.org/projects/ionmonkey/rev/d66c148e0756
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Assignee)

Updated

6 years ago
Duplicate of this bug: 724798
(Assignee)

Updated

6 years ago
Duplicate of this bug: 724871
(Assignee)

Updated

6 years ago
Duplicate of this bug: 724777
(Reporter)

Updated

6 years ago
No longer blocks: 630996
You need to log in before you can comment on or make changes to this bug.