Closed Bug 732845 Opened 9 years ago Closed 9 years ago

IonMonkey: Assertion failure: mutationCount == p.mutationCount, at ./dist/include/js/HashTable.h:688

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,ignore])

Attachments

(2 files)

Attached file Testcase for shell
The attached testcase asserts on ionmonkey revision 1fd6c40d3852 (run with --ion -n -m --ion-eager), tested on 64 bit.
See bug 738496 comment 2 for a reliably small testcase with the same assertion on IonMonkey.
Not sure if the test here is still valid, marking for a check. But even if it is not, we should ensure that the cause is the same as e.g. in bug 738496 because it seems like a generic assertion to me that multiple memory corruptions could produce.
Whiteboard: [jsbugmon:update]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision fe58c6671ebd).
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
This is very likely a memory corruption, marking s-s until resolved.
Group: core-security
Bisect points to a merge here, unlikely that it fixed this issue. Someone needs to investigate this on the original revision.
Note that I still see this assertion in the fuzzer, but the tests are always very complex and hard to reduce. If this assertion is very generic, then we can compose a new test to analyze to ensure that we're working on the correct issue.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Duplicate of this bug: 738496
Attached patch FixSplinter Review
The bug is that in generateVMWrapper we do this:
--
VMWrapperMap::AddPtr p = functionWrappers_->lookupForAdd(&f);
if (p)
    return p->value;
// ...
IonCode *wrapper = linker.newCode(cx);
if (!wrapper || !functionWrappers_->add(p, &f, wrapper))
    return NULL;
---
This is only safe if functionWrappers_ is not modified between the |lookupForAdd| and |add| calls. However, linker.newCode may trigger a last ditch GC and sweep functionWrappers_, so we have to use relookupOrAdd. We do this in some other places for the same reason.
Attachment #623998 - Flags: review?(dvander)
Attachment #623998 - Flags: review?(dvander) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/06338317eaba
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: core-security
Testcase is too complex to add.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.