IonMonkey: "Assertion failure: trc->runtime->gcIncrementalState == NO_INCREMENTAL || trc->runtime->gcIncrementalState == MARK_ROOTS,"

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: gkw, Assigned: nbp)

Tracking

(Blocks: 2 bugs, {assertion, sec-critical, testcase})

Other Branch
x86
Mac OS X
assertion, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
Created attachment 625844 [details]
stack

The upcoming testcase asserts js debug shell on IonMonkey changeset d80602d38aa8 without any CLI arguments at Assertion failure: trc->runtime->gcIncrementalState == NO_INCREMENTAL || trc->runtime->gcIncrementalState == MARK_ROOTS,

s-s because gc is on the stack, tested after bug 756659 landed on IonMonkey.
(Assignee)

Comment 2

5 years ago
This bug is located after https://bugzilla.mozilla.org/page.cgi?id=splinter.html&bug=756659&attachment=625833 modifications.

This means that the InvalidationThunk has already been collected and that we are marking it too late or that the IonCode is not traced the first time which cause the invalidation thunk to be garbage collected.
(Assignee)

Comment 3

5 years ago
(In reply to Nicolas B. Pierron [:pierron] from comment #2)
> This means that the InvalidationThunk has already been collected and that we
> are marking it too late or that the IonCode is not traced the first time
> which cause the invalidation thunk to be garbage collected.

Oops, I was confused by the NULL pointer, which is not the invalidation but related to the tracer.

I wonder why we use MarkIonCodeRoot because root marking is supposed to be an unconditional marking of objects living on the stack.
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
MarkIonCodeRoot is used for exactly the reason you described (if an invalidated script is on the stack, there must be an invalidator thunk as well, and we have to mark it).
(Assignee)

Comment 5

5 years ago
Created attachment 626203 [details] [diff] [review]
Fix marking of the invalidator

This patch has been reviewed by dvander.

The test case is still not working yet, and would likely be fixed after the next merge with mozilla-central including changes made in Bug 756732.
Attachment #626203 - Flags: review+
(Assignee)

Comment 6

5 years ago
Created attachment 626206 [details] [diff] [review]
Fix marking of the invalidator

Oops, … Same comment, with the real patch this time.
Attachment #626203 - Attachment is obsolete: true
Attachment #626206 - Flags: review+
(Assignee)

Comment 7

5 years ago
https://hg.mozilla.org/projects/ionmonkey/rev/9602aebd7e43

Should be marked as resolved after the merge with Bug 756732. (changeset 9de1e72ad539)
Keywords: sec-critical
(Assignee)

Comment 8

5 years ago
https://hg.mozilla.org/projects/ionmonkey/rev/a15a3a3b4647 (merge importing changeset 9de1e72ad539 modifications)
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Group: core-security
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
(Reporter)

Comment 10

5 years ago
Large fragile testcase -> in-testsuite-
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.