Closed
Bug 724579
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ js::ion::IonFrameIterator::checkInvalidation] or [@ js::ion::IonJSFrameLayout::calleeToken] or "Assertion failure: code->raw() == buffer,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: dvander)
References
Details
(Keywords: assertion, crash, testcase)
Crash Data
Attachments
(4 files)
3.45 KB,
text/plain
|
Details | |
5.72 KB,
text/plain
|
Details | |
2.50 KB,
patch
|
cdleary
:
review+
|
Details | Diff | Splinter Review |
1.83 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The attached testcase asserts js debug shell on IonMonkey changeset 43b55878da46 with -m, -a (yes, -a!), --ion and -n at Assertion failure: code->raw() == buffer. Without the -a flag, this crashes js opt shell at js::ion::IonFrameIterator::checkInvalidation
Reporter | ||
Comment 1•12 years ago
|
||
Reporter | ||
Comment 2•12 years ago
|
||
I don't seem to get the assert anymore with -a using changeset a1fc5b03be76, but the crash still occurs without -a.
Reporter | ||
Comment 3•12 years ago
|
||
The crash in debug without -a is at js::ion::IonJSFrameLayout::calleeToken.
Crash Signature: [@ js::ion::IonFrameIterator::checkInvalidation] → [@ js::ion::IonJSFrameLayout::calleeToken]
[@ js::ion::IonFrameIterator::checkInvalidation]
Summary: IonMonkey: Crash [@ js::ion::IonFrameIterator::checkInvalidation] or "Assertion failure: code->raw() == buffer," → IonMonkey: Crash [@ js::ion::IonFrameIterator::checkInvalidation] or [@ js::ion::IonJSFrameLayout::calleeToken] or "Assertion failure: code->raw() == buffer,"
Assignee | ||
Comment 4•12 years ago
|
||
Two separate bugs here. The first one is that the invalidation bit on IonCode objects was only getting set on gc invalidation, but not normal invalidation.
Assignee | ||
Updated•12 years ago
|
Attachment #594830 -
Attachment description: :cdleary → first fix
Attachment #594830 -
Flags: review? → review?(christopher.leary)
Assignee | ||
Comment 5•12 years ago
|
||
The second bug is that we're invalidating inside ion::Bailout, which causes a lot of trouble since bailouts do not occur inside exit frames. Brian says we can just not run this if calling from Ion code.
Attachment #594845 -
Flags: review?(bhackett1024)
Updated•12 years ago
|
Attachment #594845 -
Flags: review?(bhackett1024) → review+
Updated•12 years ago
|
Attachment #594830 -
Flags: review?(christopher.leary) → review+
Assignee | ||
Comment 6•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/88c7a495402a http://hg.mozilla.org/projects/ionmonkey/rev/d66c148e0756
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•