Last Comment Bug 763989 - IonMonkey: Assertion failure: thing, at gc/Marking.cpp:85 or Crash [@ js::gc::MarkIonCodeRoot]
: IonMonkey: Assertion failure: thing, at gc/Marking.cpp:85 or Crash [@ js::gc:...
Status: RESOLVED FIXED
[jsbugmon:update]
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86 Linux
: -- major (vote)
: ---
Assigned To: general
:
: Jason Orendorff [:jorendorff]
Mentors:
: 764374 764379 764402 (view as bug list)
Depends on: 764165
Blocks: langfuzz IonFuzz
  Show dependency treegraph
 
Reported: 2012-06-12 09:12 PDT by Christian Holler (:decoder)
Modified: 2013-02-07 05:16 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Testcase for shell (1.09 KB, text/javascript)
2012-06-12 09:12 PDT, Christian Holler (:decoder)
no flags Details
Preserve compartment IonCode on preserving GC. (3.13 KB, patch)
2012-06-12 16:21 PDT, Sean Stangl [:sstangl]
no flags Details | Diff | Splinter Review
Trace ArgumentsRectifier via ImmGCPtr (846 bytes, patch)
2012-06-12 21:09 PDT, Sean Stangl [:sstangl]
dvander: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-06-12 09:12:11 PDT
Created attachment 632283 [details]
Testcase for shell

The attached testcase asserts on ionmonkey revision 4bcbb63b89c3 (run with --ion -n -m --ion-eager).
Comment 1 Christian Holler (:decoder) 2012-06-12 09:14:19 PDT
Valgrind trace (opt build):


==3124== Invalid read of size 4
==3124==    at 0x8267B0F: js::gc::MarkIonCodeRoot(JSTracer*, js::ion::IonCode**, char const*) (Heap.h:970)
==3124==    by 0x8349DCB: js::ion::MarkIonActivations(JSRuntime*, JSTracer*) (IonFrames.cpp:571)
==3124==    by 0x80BCFE9: _ZN2jsL11MarkRuntimeEP8JSTracerb.clone.0 (jsgc.cpp:2434)
==3124==    by 0x80BDDA0: BeginMarkPhase(JSRuntime*) (jsgc.cpp:3089)
==3124==    by 0x80C0579: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind) (jsgc.cpp:3406)
==3124==    by 0x80C1AC1: Collect(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3866)
==3124==    by 0x80C1E08: js::gc::RunDebugGC(JSContext*) (jsgc.cpp:3890)
==3124==    by 0x816D534: js_NewGCString(JSContext*) (jsgcinlines.h:413)
==3124==    by 0x816D56D: js_NewString(JSContext*, unsigned short*, unsigned int) (String-inl.h:177)
==3124==    by 0x8060F9B: JS_NewStringCopyZ (jsapi.cpp:5643)
==3124==    by 0x80AF5F5: js_ErrorToException(JSContext*, char const*, JSErrorReport*, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*) (jsexn.cpp:974)
==3124==    by 0x808E8D1: js_ReportErrorNumberVA(JSContext*, unsigned int, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*, unsigned int, int, char*) (jscntxt.cpp:368)
==3124==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
Comment 2 Sean Stangl [:sstangl] 2012-06-12 16:21:22 PDT
Created attachment 632461 [details] [diff] [review]
Preserve compartment IonCode on preserving GC.
Comment 3 Sean Stangl [:sstangl] 2012-06-12 21:09:01 PDT
Created attachment 632536 [details] [diff] [review]
Trace ArgumentsRectifier via ImmGCPtr
Comment 4 Sean Stangl [:sstangl] 2012-06-13 11:30:49 PDT
*** Bug 764374 has been marked as a duplicate of this bug. ***
Comment 5 Sean Stangl [:sstangl] 2012-06-13 11:32:16 PDT
*** Bug 764379 has been marked as a duplicate of this bug. ***
Comment 6 Sean Stangl [:sstangl] 2012-06-13 11:35:56 PDT
*** Bug 764402 has been marked as a duplicate of this bug. ***
Comment 7 Sean Stangl [:sstangl] 2012-06-13 11:57:43 PDT
http://hg.mozilla.org/projects/ionmonkey/rev/301b792b7090
Comment 8 Sean Stangl [:sstangl] 2012-06-13 13:11:51 PDT
http://hg.mozilla.org/projects/ionmonkey/rev/ccc07857ae9d

Quick orange fix -- we can't use the dataRelocations_ buffer: although it correctly traces the IonCode, it moves the wrong jump target. Fix is to use the jumpRelocations_ buffer by just making a call to the rectifier and instantiating a separate safepoint.
Comment 9 Christian Holler (:decoder) 2013-02-07 05:16:24 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397

Note You need to log in before you can comment on or make changes to this bug.