Closed
Bug 757304
Opened 13 years ago
Closed 13 years ago
IonMonkey: "Assertion failure: trc->runtime->gcIncrementalState == NO_INCREMENTAL || trc->runtime->gcIncrementalState == MARK_ROOTS,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: gkw, Assigned: nbp)
References
Details
(Keywords: assertion, sec-critical, testcase)
Attachments
(2 files, 1 obsolete file)
6.92 KB,
text/plain
|
Details | |
1.33 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
The upcoming testcase asserts js debug shell on IonMonkey changeset d80602d38aa8 without any CLI arguments at Assertion failure: trc->runtime->gcIncrementalState == NO_INCREMENTAL || trc->runtime->gcIncrementalState == MARK_ROOTS,
s-s because gc is on the stack, tested after bug 756659 landed on IonMonkey.
Assignee | ||
Comment 2•13 years ago
|
||
This bug is located after https://bugzilla.mozilla.org/page.cgi?id=splinter.html&bug=756659&attachment=625833 modifications.
This means that the InvalidationThunk has already been collected and that we are marking it too late or that the IonCode is not traced the first time which cause the invalidation thunk to be garbage collected.
Assignee | ||
Comment 3•13 years ago
|
||
(In reply to Nicolas B. Pierron [:pierron] from comment #2)
> This means that the InvalidationThunk has already been collected and that we
> are marking it too late or that the IonCode is not traced the first time
> which cause the invalidation thunk to be garbage collected.
Oops, I was confused by the NULL pointer, which is not the invalidation but related to the tracer.
I wonder why we use MarkIonCodeRoot because root marking is supposed to be an unconditional marking of objects living on the stack.
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
MarkIonCodeRoot is used for exactly the reason you described (if an invalidated script is on the stack, there must be an invalidator thunk as well, and we have to mark it).
Assignee | ||
Comment 5•13 years ago
|
||
This patch has been reviewed by dvander.
The test case is still not working yet, and would likely be fixed after the next merge with mozilla-central including changes made in Bug 756732.
Attachment #626203 -
Flags: review+
Assignee | ||
Comment 6•13 years ago
|
||
Oops, … Same comment, with the real patch this time.
Attachment #626203 -
Attachment is obsolete: true
Attachment #626206 -
Flags: review+
Assignee | ||
Comment 7•13 years ago
|
||
https://hg.mozilla.org/projects/ionmonkey/rev/9602aebd7e43
Should be marked as resolved after the merge with Bug 756732. (changeset 9de1e72ad539)
Updated•13 years ago
|
Keywords: sec-critical
Assignee | ||
Comment 8•13 years ago
|
||
https://hg.mozilla.org/projects/ionmonkey/rev/a15a3a3b4647 (merge importing changeset 9de1e72ad539 modifications)
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Group: core-security
Comment 9•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•