Closed
Bug 763989
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: thing, at gc/Marking.cpp:85 or Crash [@ js::gc::MarkIonCodeRoot]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files, 1 obsolete file)
1.09 KB,
text/javascript
|
Details | |
846 bytes,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The attached testcase asserts on ionmonkey revision 4bcbb63b89c3 (run with --ion -n -m --ion-eager).
Reporter | ||
Comment 1•12 years ago
|
||
Valgrind trace (opt build): ==3124== Invalid read of size 4 ==3124== at 0x8267B0F: js::gc::MarkIonCodeRoot(JSTracer*, js::ion::IonCode**, char const*) (Heap.h:970) ==3124== by 0x8349DCB: js::ion::MarkIonActivations(JSRuntime*, JSTracer*) (IonFrames.cpp:571) ==3124== by 0x80BCFE9: _ZN2jsL11MarkRuntimeEP8JSTracerb.clone.0 (jsgc.cpp:2434) ==3124== by 0x80BDDA0: BeginMarkPhase(JSRuntime*) (jsgc.cpp:3089) ==3124== by 0x80C0579: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind) (jsgc.cpp:3406) ==3124== by 0x80C1AC1: Collect(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3866) ==3124== by 0x80C1E08: js::gc::RunDebugGC(JSContext*) (jsgc.cpp:3890) ==3124== by 0x816D534: js_NewGCString(JSContext*) (jsgcinlines.h:413) ==3124== by 0x816D56D: js_NewString(JSContext*, unsigned short*, unsigned int) (String-inl.h:177) ==3124== by 0x8060F9B: JS_NewStringCopyZ (jsapi.cpp:5643) ==3124== by 0x80AF5F5: js_ErrorToException(JSContext*, char const*, JSErrorReport*, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*) (jsexn.cpp:974) ==3124== by 0x808E8D1: js_ReportErrorNumberVA(JSContext*, unsigned int, JSErrorFormatString const* (*)(void*, char const*, unsigned int), void*, unsigned int, int, char*) (jscntxt.cpp:368) ==3124== Address 0x0 is not stack'd, malloc'd or (recently) free'd
Crash Signature: [@ js::gc::MarkIonCodeRoot]
Summary: IonMonkey: Assertion failure: thing, at gc/Marking.cpp:85 or Crash [@ compartment] → IonMonkey: Assertion failure: thing, at gc/Marking.cpp:85 or Crash [@ js::gc::MarkIonCodeRoot]
Comment 2•12 years ago
|
||
Attachment #632461 -
Flags: review?(dvander)
Comment 3•12 years ago
|
||
Attachment #632461 -
Attachment is obsolete: true
Attachment #632461 -
Flags: review?(dvander)
Attachment #632536 -
Flags: review?(dvander)
Updated•12 years ago
|
Attachment #632536 -
Flags: review?(dvander) → review+
Comment 7•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/301b792b7090
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 8•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/ccc07857ae9d Quick orange fix -- we can't use the dataRelocations_ buffer: although it correctly traces the IonCode, it moves the wrong jump target. Fix is to use the jumpRelocations_ buffer by just making a call to the rectifier and instantiating a separate safepoint.
Reporter | ||
Comment 9•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•