Closed Bug 757304 Opened 9 years ago Closed 9 years ago

IonMonkey: "Assertion failure: trc->runtime->gcIncrementalState == NO_INCREMENTAL || trc->runtime->gcIncrementalState == MARK_ROOTS,"

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: gkw, Assigned: nbp)

References

Details

(Keywords: assertion, sec-critical, testcase)

Attachments

(2 files, 1 obsolete file)

Attached file stack
The upcoming testcase asserts js debug shell on IonMonkey changeset d80602d38aa8 without any CLI arguments at Assertion failure: trc->runtime->gcIncrementalState == NO_INCREMENTAL || trc->runtime->gcIncrementalState == MARK_ROOTS,

s-s because gc is on the stack, tested after bug 756659 landed on IonMonkey.
This bug is located after https://bugzilla.mozilla.org/page.cgi?id=splinter.html&bug=756659&attachment=625833 modifications.

This means that the InvalidationThunk has already been collected and that we are marking it too late or that the IonCode is not traced the first time which cause the invalidation thunk to be garbage collected.
(In reply to Nicolas B. Pierron [:pierron] from comment #2)
> This means that the InvalidationThunk has already been collected and that we
> are marking it too late or that the IonCode is not traced the first time
> which cause the invalidation thunk to be garbage collected.

Oops, I was confused by the NULL pointer, which is not the invalidation but related to the tracer.

I wonder why we use MarkIonCodeRoot because root marking is supposed to be an unconditional marking of objects living on the stack.
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
MarkIonCodeRoot is used for exactly the reason you described (if an invalidated script is on the stack, there must be an invalidator thunk as well, and we have to mark it).
Attached patch Fix marking of the invalidator (obsolete) — Splinter Review
This patch has been reviewed by dvander.

The test case is still not working yet, and would likely be fixed after the next merge with mozilla-central including changes made in Bug 756732.
Attachment #626203 - Flags: review+
Oops, … Same comment, with the real patch this time.
Attachment #626203 - Attachment is obsolete: true
Attachment #626206 - Flags: review+
https://hg.mozilla.org/projects/ionmonkey/rev/9602aebd7e43

Should be marked as resolved after the merge with Bug 756732. (changeset 9de1e72ad539)
https://hg.mozilla.org/projects/ionmonkey/rev/a15a3a3b4647 (merge importing changeset 9de1e72ad539 modifications)
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: core-security
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Large fragile testcase -> in-testsuite-
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.