Created attachment 594736 [details] testcase The attached testcase asserts js debug shell on IonMonkey changeset 43b55878da46 with -m, -a (yes, -a!), --ion and -n at Assertion failure: code->raw() == buffer. Without the -a flag, this crashes js opt shell at js::ion::IonFrameIterator::checkInvalidation
I don't seem to get the assert anymore with -a using changeset a1fc5b03be76, but the crash still occurs without -a.
The crash in debug without -a is at js::ion::IonJSFrameLayout::calleeToken.
Created attachment 594830 [details] [diff] [review] first fix Two separate bugs here. The first one is that the invalidation bit on IonCode objects was only getting set on gc invalidation, but not normal invalidation.
Created attachment 594845 [details] [diff] [review] second fix The second bug is that we're invalidating inside ion::Bailout, which causes a lot of trouble since bailouts do not occur inside exit frames. Brian says we can just not run this if calling from Ion code.