Closed Bug 769224 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: found, at methodjit/Retcon.cpp:133 or Opt-Crash trying to execute NULL

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][fuzzblocker])

Attachments

(2 files)

Attached file Testcase for shell
The attached testcase asserts on ionmonkey revision 4f57f42dc238 (run with --ion -n -m --ion-eager).
This is causing lots of signatures on opt builds.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Regression from bug 761854. What happens is:

- There's a native call IC
- PurgeJITCaches destroys this IC without updating the rejoin state (REJOIN_NATIVE)
- ClearAllFrames looks at the rejoin value and expects a native call IC

discardJitCode avoids this problem by calling ClearAllFrames before purging any caches.
Attached patch fixSplinter Review
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #637630 - Flags: review?(wmccloskey)
Jan: thanks for the analysis, spot on.
Comment on attachment 637630 [details] [diff] [review]
fix

I wish there were a way to assert that ClearAllFrames had been called. I'm not seeing anything, though.
Attachment #637630 - Flags: review?(wmccloskey) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/3112408514c8
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.