IonMonkey: Assertion failure: thing, at gc/Marking.cpp:85 or Crash [@ js::gc::MarkIonCodeRoot]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
major
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Other Branch
x86
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
Created attachment 632283 [details]
Testcase for shell

The attached testcase asserts on ionmonkey revision 4bcbb63b89c3 (run with --ion -n -m --ion-eager).
(Reporter)

Comment 1

5 years ago
Valgrind trace (opt build):


==3124== Invalid read of size 4
==3124==    at 0x8267B0F: js::gc::MarkIonCodeRoot(JSTracer*, js::ion::IonCode**, char const*) (Heap.h:970)
==3124==    by 0x8349DCB: js::ion::MarkIonActivations(JSRuntime*, JSTracer*) (IonFrames.cpp:571)
==3124==    by 0x80BCFE9: _ZN2jsL11MarkRuntimeEP8JSTracerb.clone.0 (jsgc.cpp:2434)
==3124==    by 0x80BDDA0: BeginMarkPhase(JSRuntime*) (jsgc.cpp:3089)
==3124==    by 0x80C0579: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind) (jsgc.cpp:3406)
==3124==    by 0x80C1AC1: Collect(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3866)
==3124==    by 0x80C1E08: js::gc::RunDebugGC(JSContext*) (jsgc.cpp:3890)
==3124==    by 0x816D534: js_NewGCString(JSContext*) (jsgcinlines.h:413)
==3124==    by 0x816D56D: js_NewString(JSContext*, unsigned short*, unsigned int) (String-inl.h:177)
==3124==    by 0x8060F9B: JS_NewStringCopyZ (jsapi.cpp:5643)
==3124==    by 0x80AF5F5: js_ErrorToException(JSContext*, char const*, JSErrorReport*, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*) (jsexn.cpp:974)
==3124==    by 0x808E8D1: js_ReportErrorNumberVA(JSContext*, unsigned int, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*, unsigned int, int, char*) (jscntxt.cpp:368)
==3124==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
Crash Signature: [@ js::gc::MarkIonCodeRoot]
Summary: IonMonkey: Assertion failure: thing, at gc/Marking.cpp:85 or Crash [@ compartment] → IonMonkey: Assertion failure: thing, at gc/Marking.cpp:85 or Crash [@ js::gc::MarkIonCodeRoot]

Updated

5 years ago
Depends on: 764165
Created attachment 632461 [details] [diff] [review]
Preserve compartment IonCode on preserving GC.
Attachment #632461 - Flags: review?(dvander)
Created attachment 632536 [details] [diff] [review]
Trace ArgumentsRectifier via ImmGCPtr
Attachment #632461 - Attachment is obsolete: true
Attachment #632461 - Flags: review?(dvander)
Attachment #632536 - Flags: review?(dvander)

Updated

5 years ago
Duplicate of this bug: 764374

Updated

5 years ago
Duplicate of this bug: 764379

Updated

5 years ago
Duplicate of this bug: 764402
Attachment #632536 - Flags: review?(dvander) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/301b792b7090
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
http://hg.mozilla.org/projects/ionmonkey/rev/ccc07857ae9d

Quick orange fix -- we can't use the dataRelocations_ buffer: although it correctly traces the IonCode, it moves the wrong jump target. Fix is to use the jumpRelocations_ buffer by just making a call to the rectifier and instantiating a separate safepoint.
(Reporter)

Comment 9

4 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.