IonMonkey: "Assertion failure: refcount_,"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: gkw, Assigned: nbp)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Other Branch
x86_64
Windows 7
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fuzzblocker])

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
Created attachment 645110 [details]
stack

var eCount = 0;
var funs = [function () {}, function () {}];
function someElement(a) {
    ++eCount;
    var i = (eCount >= 8) ? 1 : 0;
    return a[i]
}
var recursionGuard = 0;
function recursiveThing() {
    someElement(funs);
    if (++recursionGuard % 2) {
        e1();
    }
}
function e1() {
    try {} catch (e) {}
    someElement(funs);
    recursiveThing()
}
recursiveThing()
gc();
recursiveThing()
recursiveThing()

asserts js debug shell on IonMonkey changeset 23a84dbb258f with--ion-eager and -a at Assertion failure: refcount_,

s-s because this involves gc.

Many thanks go out to Jesse for reducing to this from being hundreds of lines long.
(Reporter)

Comment 1

5 years ago
Created attachment 645111 [details]
proper stack
Attachment #645110 - Attachment is obsolete: true
(Reporter)

Comment 2

5 years ago
This and bug 776687 are fuzzblockers - they should be the ones that create lots of dupes.
Whiteboard: [fuzzblocker]
(Reporter)

Comment 3

5 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   100934:8ea86b9020a2
user:        Nicolas Pierron
date:        Mon Jul 16 23:19:26 2012 +0200
summary:     Bug 772509 - Freeze a compilation output instead of a script. r=bhackett,dvander
Blocks: 772509
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Created attachment 645493 [details] [diff] [review]
Do not invalidate the IonScript when JM is invalidated.

Decrement the reference counter only for script which have been incremented before.  This bug should only appear when the monitored values is frozen by both a compiled JM function and a compiled Ion function.  The second check is failing because the script which has been JM-compiled is also Ion-compiled and cause an additional decref to happen.
Attachment #645493 - Flags: review?(dvander)
Comment on attachment 645493 [details] [diff] [review]
Do not invalidate the IonScript when JM is invalidated.

Review of attachment 645493 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch.
Attachment #645493 - Flags: review?(dvander) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/eef915d5a18f

I removed the security-sensitive flag because this bug is fixed before IonMonkey landing in inbound and it only affect IonMonkey.
Group: core-security
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Backed out due to tbpl failures: https://hg.mozilla.org/projects/ionmonkey/rev/41f66d0e46b3
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
https://hg.mozilla.org/projects/ionmonkey/rev/02f44534f7f5
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug776748.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.