As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 756240 - IonMonkey: Assertion failure: unexpected frame type, at ion/IonFrames.cpp:584
: IonMonkey: Assertion failure: unexpected frame type, at ion/IonFrames.cpp:584
Status: VERIFIED FIXED
[jsbugmon:update]
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- major (vote)
: ---
Assigned To: David Anderson [:dvander]
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
 
Reported: 2012-05-17 13:21 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:16 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix (1.39 KB, patch)
2012-05-18 00:45 PDT, David Anderson [:dvander]
nicolas.b.pierron: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-05-17 13:21:24 PDT
The following testcase asserts on ionmonkey revision 14735b4dbccc (run with --ion -n -m --ion-eager):


function f() {
  var x = 10;
  var g = function(x, Int8Array, arr, f) {
    for (var i = 0; i < 10; ++i) {
      gc();
    }
  }
  for (var i = 0; i < 10; ++i) {
    g(100 * i + x);
  }
}
f();
Comment 1 User image David Anderson [:dvander] 2012-05-17 15:18:16 PDT
This looks pretty straightforward, just a bogus assert - though I'd like to understand why we're seeing a BailedRectifier frame here first.
Comment 2 User image David Anderson [:dvander] 2012-05-18 00:45:14 PDT
Created attachment 625025 [details] [diff] [review]
fix

Looks normal.
Comment 3 User image Nicolas B. Pierron [:nbp] 2012-05-18 09:32:00 PDT
Comment on attachment 625025 [details] [diff] [review]
fix

Review of attachment 625025 [details] [diff] [review]:
-----------------------------------------------------------------

The rectifier frame is not removed by a bailout because we still have live code to remove it.

… | prev = Rectifier | prev = JSFrame <bailout>
… | prev = Bailed_Rectifier <exit> | ThunkToInterpreter

I don't think we need to mark arguments of the bailed rectifier frames since they are supposed to be captured by the bailout.  In fact, only the return address and the frame descriptor need to be kept alive and none are markable.  The callee token does not need to be marked since it is now part of the StackFrame.

::: js/src/ion/IonFrames.cpp
@@ +573,1 @@
>              MarkIonCodeRoot(trc, activation->compartment()->ionCompartment()->getArgumentsRectifierAddr(), "Arguments Rectifier");

nit: You don't need to mark Bailed_Rectifier frames.
Comment 4 User image David Anderson [:dvander] 2012-05-18 11:10:58 PDT
http://hg.mozilla.org/projects/ionmonkey/rev/1fe4c286323b
Comment 5 User image Christian Holler (:decoder) 2012-05-18 11:40:15 PDT
JSBugMon: This bug has been automatically verified fixed.
Comment 6 User image Christian Holler (:decoder) 2013-01-14 08:16:06 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug756240.js.

Note You need to log in before you can comment on or make changes to this bug.