Closed
Bug 754712
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(thing)), at js/src/jsgc.cpp:4465
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
1.08 KB,
text/javascript
|
Details | |
1.75 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
The attached testcase asserts on ionmonkey revision e8de64e7e9fe (run with --ion -n -m --ion-eager).
Assignee | ||
Updated•12 years ago
|
Assignee: general → dvander
Status: NEW → ASSIGNED
Talking this over with David. It sounds like the IonScript is linked off a JSScript, and it has a trace method. If we ever kill the IonScript during an incremental GC (due to invalidation, say), then all the objects that would have been traced by the IonScript need to be marked immediately, as a kind of custom write barrier. The patch in bug 754150 has an almost exactly similar case for JaegerMonkey, and I imagine the IonMonkey patch would be similar.
Assignee | ||
Comment 2•12 years ago
|
||
Thanks for helping me diagnose this, Bill. The test case no longer reproduces on tip, but this is definitely a bug and this patch appears to fix it from when it did reproduce a few days ago.
Attachment #624434 -
Flags: review?(wmccloskey)
Comment on attachment 624434 [details] [diff] [review] fix Review of attachment 624434 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/Ion.cpp @@ +1154,5 @@ > + IonScript *ionScript = script->ion; > + > + JSCompartment *compartment = script->compartment(); > + if (compartment->needsBarrier()) { > + // We're about to remove edges from the JSScipt to gcthings JScript -> JSScript
Attachment #624434 -
Flags: review?(wmccloskey) → review+
Assignee | ||
Comment 4•12 years ago
|
||
https://hg.mozilla.org/projects/ionmonkey/rev/9caa6deab767
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Reporter | ||
Comment 5•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Updated•12 years ago
|
Group: core-security
Reporter | ||
Comment 6•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•