The default bug view has changed. See this FAQ.

IonMonkey: Assertion failure: kind == GetGCThingTraceKind(*thingp), at gc/Marking.cpp:231

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
major
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Assigned: dvander)

Tracking

(Blocks: 2 bugs, {assertion, sec-high, testcase})

Other Branch
x86_64
Linux
assertion, sec-high, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox-esr10 unaffected)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

5 years ago
The following testcase asserts on ionmonkey revision 14735b4dbccc (run with --ion -n -m):


function enterFunc (funcName)
    funcName += "()";
var lfcode = new Array();
gczeal(2);
evaluate("test();\
function test() {\
  enterFunc ('test');\
  (new test('(a(b(c)))(d(e(f)))\\\\2\\\\5'));\
}\
");
(Assignee)

Updated

5 years ago
Hardware: x86 → x86_64
(Assignee)

Updated

5 years ago
Assignee: general → dvander
Status: NEW → ASSIGNED
(Assignee)

Comment 1

5 years ago
This is some kind of horrible bug involving invalidation, gc - we're restoring a value to the interpreter stack which has been freed. Investigating.
(Assignee)

Comment 2

5 years ago
Created attachment 624917 [details] [diff] [review]
fix

Another simple off-by-N bug.
Attachment #624917 - Flags: review?(nicolas.b.pierron)
(Assignee)

Comment 3

5 years ago
Created attachment 624958 [details] [diff] [review]
better fix
Attachment #624917 - Attachment is obsolete: true
Attachment #624917 - Flags: review?(nicolas.b.pierron)
Attachment #624958 - Flags: review?(nicolas.b.pierron)
Comment on attachment 624958 [details] [diff] [review]
better fix

Review of attachment 624958 [details] [diff] [review]:
-----------------------------------------------------------------

Good, would be better if you can define

JSFunction *fun = maybeCalleeTokenToFunction(layout->calleeToken());
Attachment #624958 - Flags: review?(nicolas.b.pierron) → review+
(Assignee)

Comment 5

5 years ago
http://hg.mozilla.org/projects/ionmonkey/rev/8c54899dae82
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 6

5 years ago
JSBugMon: This bug has been automatically verified fixed.
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
Group: core-security
status-firefox-esr10: --- → unaffected
Keywords: sec-high
(Reporter)

Comment 7

4 years ago
Early ion gc issue, in-testsuite-.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.