Closed
Bug 776748
Opened 12 years ago
Closed 12 years ago
IonMonkey: "Assertion failure: refcount_,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: nbp)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker])
Attachments
(2 files, 1 obsolete file)
2.58 KB,
text/plain
|
Details | |
5.12 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
var eCount = 0; var funs = [function () {}, function () {}]; function someElement(a) { ++eCount; var i = (eCount >= 8) ? 1 : 0; return a[i] } var recursionGuard = 0; function recursiveThing() { someElement(funs); if (++recursionGuard % 2) { e1(); } } function e1() { try {} catch (e) {} someElement(funs); recursiveThing() } recursiveThing() gc(); recursiveThing() recursiveThing() asserts js debug shell on IonMonkey changeset 23a84dbb258f with--ion-eager and -a at Assertion failure: refcount_, s-s because this involves gc. Many thanks go out to Jesse for reducing to this from being hundreds of lines long.
Reporter | ||
Comment 1•12 years ago
|
||
Attachment #645110 -
Attachment is obsolete: true
Reporter | ||
Comment 2•12 years ago
|
||
This and bug 776687 are fuzzblockers - they should be the ones that create lots of dupes.
Whiteboard: [fuzzblocker]
Reporter | ||
Comment 3•12 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 100934:8ea86b9020a2 user: Nicolas Pierron date: Mon Jul 16 23:19:26 2012 +0200 summary: Bug 772509 - Freeze a compilation output instead of a script. r=bhackett,dvander
Blocks: 772509
Assignee | ||
Updated•12 years ago
|
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Assignee | ||
Comment 4•12 years ago
|
||
Decrement the reference counter only for script which have been incremented before. This bug should only appear when the monitored values is frozen by both a compiled JM function and a compiled Ion function. The second check is failing because the script which has been JM-compiled is also Ion-compiled and cause an additional decref to happen.
Attachment #645493 -
Flags: review?(dvander)
Comment on attachment 645493 [details] [diff] [review] Do not invalidate the IonScript when JM is invalidated. Review of attachment 645493 [details] [diff] [review]: ----------------------------------------------------------------- Good catch.
Attachment #645493 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 6•12 years ago
|
||
https://hg.mozilla.org/projects/ionmonkey/rev/eef915d5a18f I removed the security-sensitive flag because this bug is fixed before IonMonkey landing in inbound and it only affect IonMonkey.
Group: core-security
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Backed out due to tbpl failures: https://hg.mozilla.org/projects/ionmonkey/rev/41f66d0e46b3
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 8•12 years ago
|
||
https://hg.mozilla.org/projects/ionmonkey/rev/02f44534f7f5
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
Comment 9•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug776748.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•