Closed Bug 776748 Opened 12 years ago Closed 12 years ago

IonMonkey: "Assertion failure: refcount_,"

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Assigned: nbp)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker])

Attachments

(2 files, 1 obsolete file)

Attached file stack (obsolete) —
var eCount = 0;
var funs = [function () {}, function () {}];
function someElement(a) {
    ++eCount;
    var i = (eCount >= 8) ? 1 : 0;
    return a[i]
}
var recursionGuard = 0;
function recursiveThing() {
    someElement(funs);
    if (++recursionGuard % 2) {
        e1();
    }
}
function e1() {
    try {} catch (e) {}
    someElement(funs);
    recursiveThing()
}
recursiveThing()
gc();
recursiveThing()
recursiveThing()

asserts js debug shell on IonMonkey changeset 23a84dbb258f with--ion-eager and -a at Assertion failure: refcount_,

s-s because this involves gc.

Many thanks go out to Jesse for reducing to this from being hundreds of lines long.
Attached file proper stack
Attachment #645110 - Attachment is obsolete: true
This and bug 776687 are fuzzblockers - they should be the ones that create lots of dupes.
Whiteboard: [fuzzblocker]
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   100934:8ea86b9020a2
user:        Nicolas Pierron
date:        Mon Jul 16 23:19:26 2012 +0200
summary:     Bug 772509 - Freeze a compilation output instead of a script. r=bhackett,dvander
Blocks: 772509
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Decrement the reference counter only for script which have been incremented before.  This bug should only appear when the monitored values is frozen by both a compiled JM function and a compiled Ion function.  The second check is failing because the script which has been JM-compiled is also Ion-compiled and cause an additional decref to happen.
Attachment #645493 - Flags: review?(dvander)
Comment on attachment 645493 [details] [diff] [review]
Do not invalidate the IonScript when JM is invalidated.

Review of attachment 645493 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch.
Attachment #645493 - Flags: review?(dvander) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/eef915d5a18f

I removed the security-sensitive flag because this bug is fixed before IonMonkey landing in inbound and it only affect IonMonkey.
Group: core-security
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Backed out due to tbpl failures: https://hg.mozilla.org/projects/ionmonkey/rev/41f66d0e46b3
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
https://hg.mozilla.org/projects/ionmonkey/rev/02f44534f7f5
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug776748.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.