Closed Bug 756243 Opened 9 years ago Closed 9 years ago

IonMonkey: Assertion failure: kind == GetGCThingTraceKind(*thingp), at gc/Marking.cpp:231

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

VERIFIED FIXED
Tracking Status
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, sec-high, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file, 1 obsolete file)

The following testcase asserts on ionmonkey revision 14735b4dbccc (run with --ion -n -m):


function enterFunc (funcName)
    funcName += "()";
var lfcode = new Array();
gczeal(2);
evaluate("test();\
function test() {\
  enterFunc ('test');\
  (new test('(a(b(c)))(d(e(f)))\\\\2\\\\5'));\
}\
");
Hardware: x86 → x86_64
Assignee: general → dvander
Status: NEW → ASSIGNED
This is some kind of horrible bug involving invalidation, gc - we're restoring a value to the interpreter stack which has been freed. Investigating.
Attached patch fix (obsolete) — Splinter Review
Another simple off-by-N bug.
Attachment #624917 - Flags: review?(nicolas.b.pierron)
Attached patch better fixSplinter Review
Attachment #624917 - Attachment is obsolete: true
Attachment #624917 - Flags: review?(nicolas.b.pierron)
Attachment #624958 - Flags: review?(nicolas.b.pierron)
Comment on attachment 624958 [details] [diff] [review]
better fix

Review of attachment 624958 [details] [diff] [review]:
-----------------------------------------------------------------

Good, would be better if you can define

JSFunction *fun = maybeCalleeTokenToFunction(layout->calleeToken());
Attachment #624958 - Flags: review?(nicolas.b.pierron) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/8c54899dae82
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
Keywords: sec-high
Early ion gc issue, in-testsuite-.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.