Closed Bug 754712 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(thing)), at js/src/jsgc.cpp:4465

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

VERIFIED FIXED
Tracking Status
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Attached file Testcase for shell
The attached testcase asserts on ionmonkey revision e8de64e7e9fe (run with --ion -n -m --ion-eager).
Assignee: general → dvander
Status: NEW → ASSIGNED
Talking this over with David. It sounds like the IonScript is linked off a JSScript, and it has a trace method. If we ever kill the IonScript during an incremental GC (due to invalidation, say), then all the objects that would have been traced by the IonScript need to be marked immediately, as a kind of custom write barrier. The patch in bug 754150 has an almost exactly similar case for JaegerMonkey, and I imagine the IonMonkey patch would be similar.
Attached patch fixSplinter Review
Thanks for helping me diagnose this, Bill. The test case no longer reproduces on tip, but this is definitely a bug and this patch appears to fix it from when it did reproduce a few days ago.
Attachment #624434 - Flags: review?(wmccloskey)
Comment on attachment 624434 [details] [diff] [review]
fix

Review of attachment 624434 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/Ion.cpp
@@ +1154,5 @@
> +            IonScript *ionScript = script->ion;
> +
> +            JSCompartment *compartment = script->compartment();
> +            if (compartment->needsBarrier()) {
> +                // We're about to remove edges from the JSScipt to gcthings

JScript -> JSScript
Attachment #624434 - Flags: review?(wmccloskey) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/9caa6deab767
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.