Closed Bug 763989 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: thing, at gc/Marking.cpp:85 or Crash [@ js::gc::MarkIonCodeRoot]

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files, 1 obsolete file)

Attached file Testcase for shell
The attached testcase asserts on ionmonkey revision 4bcbb63b89c3 (run with --ion -n -m --ion-eager).
Valgrind trace (opt build):


==3124== Invalid read of size 4
==3124==    at 0x8267B0F: js::gc::MarkIonCodeRoot(JSTracer*, js::ion::IonCode**, char const*) (Heap.h:970)
==3124==    by 0x8349DCB: js::ion::MarkIonActivations(JSRuntime*, JSTracer*) (IonFrames.cpp:571)
==3124==    by 0x80BCFE9: _ZN2jsL11MarkRuntimeEP8JSTracerb.clone.0 (jsgc.cpp:2434)
==3124==    by 0x80BDDA0: BeginMarkPhase(JSRuntime*) (jsgc.cpp:3089)
==3124==    by 0x80C0579: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind) (jsgc.cpp:3406)
==3124==    by 0x80C1AC1: Collect(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3866)
==3124==    by 0x80C1E08: js::gc::RunDebugGC(JSContext*) (jsgc.cpp:3890)
==3124==    by 0x816D534: js_NewGCString(JSContext*) (jsgcinlines.h:413)
==3124==    by 0x816D56D: js_NewString(JSContext*, unsigned short*, unsigned int) (String-inl.h:177)
==3124==    by 0x8060F9B: JS_NewStringCopyZ (jsapi.cpp:5643)
==3124==    by 0x80AF5F5: js_ErrorToException(JSContext*, char const*, JSErrorReport*, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*) (jsexn.cpp:974)
==3124==    by 0x808E8D1: js_ReportErrorNumberVA(JSContext*, unsigned int, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*, unsigned int, int, char*) (jscntxt.cpp:368)
==3124==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
Crash Signature: [@ js::gc::MarkIonCodeRoot]
Summary: IonMonkey: Assertion failure: thing, at gc/Marking.cpp:85 or Crash [@ compartment] → IonMonkey: Assertion failure: thing, at gc/Marking.cpp:85 or Crash [@ js::gc::MarkIonCodeRoot]
Depends on: 764165
Attachment #632461 - Flags: review?(dvander)
Attachment #632461 - Attachment is obsolete: true
Attachment #632461 - Flags: review?(dvander)
Attachment #632536 - Flags: review?(dvander)
Attachment #632536 - Flags: review?(dvander) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/301b792b7090
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
http://hg.mozilla.org/projects/ionmonkey/rev/ccc07857ae9d

Quick orange fix -- we can't use the dataRelocations_ buffer: although it correctly traces the IonCode, it moves the wrong jump target. Fix is to use the jumpRelocations_ buffer by just making a call to the rectifier and instantiating a separate safepoint.
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.