Last Comment Bug 776748 - IonMonkey: "Assertion failure: refcount_,"
: IonMonkey: "Assertion failure: refcount_,"
Status: RESOLVED FIXED
[fuzzblocker]
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Windows 7
: -- critical (vote)
: ---
Assigned To: Nicolas B. Pierron [:nbp]
: general
:
Mentors:
Depends on:
Blocks: jsfunfuzz IonFuzz 772509
  Show dependency treegraph
 
Reported: 2012-07-23 16:18 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-14 08:00 PST (History)
8 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stack (2.62 KB, text/plain)
2012-07-23 16:18 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
proper stack (2.58 KB, text/plain)
2012-07-23 16:20 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
Do not invalidate the IonScript when JM is invalidated. (5.12 KB, patch)
2012-07-24 14:25 PDT, Nicolas B. Pierron [:nbp]
dvander: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2012-07-23 16:18:53 PDT
Created attachment 645110 [details]
stack

var eCount = 0;
var funs = [function () {}, function () {}];
function someElement(a) {
    ++eCount;
    var i = (eCount >= 8) ? 1 : 0;
    return a[i]
}
var recursionGuard = 0;
function recursiveThing() {
    someElement(funs);
    if (++recursionGuard % 2) {
        e1();
    }
}
function e1() {
    try {} catch (e) {}
    someElement(funs);
    recursiveThing()
}
recursiveThing()
gc();
recursiveThing()
recursiveThing()

asserts js debug shell on IonMonkey changeset 23a84dbb258f with--ion-eager and -a at Assertion failure: refcount_,

s-s because this involves gc.

Many thanks go out to Jesse for reducing to this from being hundreds of lines long.
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2012-07-23 16:20:42 PDT
Created attachment 645111 [details]
proper stack
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2012-07-23 16:22:13 PDT
This and bug 776687 are fuzzblockers - they should be the ones that create lots of dupes.
Comment 3 Gary Kwong [:gkw] [:nth10sd] 2012-07-23 17:23:33 PDT
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   100934:8ea86b9020a2
user:        Nicolas Pierron
date:        Mon Jul 16 23:19:26 2012 +0200
summary:     Bug 772509 - Freeze a compilation output instead of a script. r=bhackett,dvander
Comment 4 Nicolas B. Pierron [:nbp] 2012-07-24 14:25:19 PDT
Created attachment 645493 [details] [diff] [review]
Do not invalidate the IonScript when JM is invalidated.

Decrement the reference counter only for script which have been incremented before.  This bug should only appear when the monitored values is frozen by both a compiled JM function and a compiled Ion function.  The second check is failing because the script which has been JM-compiled is also Ion-compiled and cause an additional decref to happen.
Comment 5 David Anderson [:dvander] 2012-07-24 16:34:38 PDT
Comment on attachment 645493 [details] [diff] [review]
Do not invalidate the IonScript when JM is invalidated.

Review of attachment 645493 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch.
Comment 6 Nicolas B. Pierron [:nbp] 2012-07-24 18:01:36 PDT
https://hg.mozilla.org/projects/ionmonkey/rev/eef915d5a18f

I removed the security-sensitive flag because this bug is fixed before IonMonkey landing in inbound and it only affect IonMonkey.
Comment 7 David Anderson [:dvander] 2012-07-25 02:10:05 PDT
Backed out due to tbpl failures: https://hg.mozilla.org/projects/ionmonkey/rev/41f66d0e46b3
Comment 8 Nicolas B. Pierron [:nbp] 2012-07-26 11:45:28 PDT
https://hg.mozilla.org/projects/ionmonkey/rev/02f44534f7f5
Comment 9 Christian Holler (:decoder) 2013-01-14 08:00:45 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug776748.js.

Note You need to log in before you can comment on or make changes to this bug.