As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 776748 - IonMonkey: "Assertion failure: refcount_,"
: IonMonkey: "Assertion failure: refcount_,"
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Windows 7
: -- critical (vote)
: ---
Assigned To: Nicolas B. Pierron [:nbp]
: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz IonFuzz 772509
  Show dependency treegraph
Reported: 2012-07-23 16:18 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-14 08:00 PST (History)
8 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stack (2.62 KB, text/plain)
2012-07-23 16:18 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
proper stack (2.58 KB, text/plain)
2012-07-23 16:20 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
Do not invalidate the IonScript when JM is invalidated. (5.12 KB, patch)
2012-07-24 14:25 PDT, Nicolas B. Pierron [:nbp]
dvander: review+
Details | Diff | Splinter Review

Description User image Gary Kwong [:gkw] [:nth10sd] 2012-07-23 16:18:53 PDT
Created attachment 645110 [details]

var eCount = 0;
var funs = [function () {}, function () {}];
function someElement(a) {
    var i = (eCount >= 8) ? 1 : 0;
    return a[i]
var recursionGuard = 0;
function recursiveThing() {
    if (++recursionGuard % 2) {
function e1() {
    try {} catch (e) {}

asserts js debug shell on IonMonkey changeset 23a84dbb258f with--ion-eager and -a at Assertion failure: refcount_,

s-s because this involves gc.

Many thanks go out to Jesse for reducing to this from being hundreds of lines long.
Comment 1 User image Gary Kwong [:gkw] [:nth10sd] 2012-07-23 16:20:42 PDT
Created attachment 645111 [details]
proper stack
Comment 2 User image Gary Kwong [:gkw] [:nth10sd] 2012-07-23 16:22:13 PDT
This and bug 776687 are fuzzblockers - they should be the ones that create lots of dupes.
Comment 3 User image Gary Kwong [:gkw] [:nth10sd] 2012-07-23 17:23:33 PDT
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   100934:8ea86b9020a2
user:        Nicolas Pierron
date:        Mon Jul 16 23:19:26 2012 +0200
summary:     Bug 772509 - Freeze a compilation output instead of a script. r=bhackett,dvander
Comment 4 User image Nicolas B. Pierron [:nbp] 2012-07-24 14:25:19 PDT
Created attachment 645493 [details] [diff] [review]
Do not invalidate the IonScript when JM is invalidated.

Decrement the reference counter only for script which have been incremented before.  This bug should only appear when the monitored values is frozen by both a compiled JM function and a compiled Ion function.  The second check is failing because the script which has been JM-compiled is also Ion-compiled and cause an additional decref to happen.
Comment 5 User image David Anderson [:dvander] 2012-07-24 16:34:38 PDT
Comment on attachment 645493 [details] [diff] [review]
Do not invalidate the IonScript when JM is invalidated.

Review of attachment 645493 [details] [diff] [review]:

Good catch.
Comment 6 User image Nicolas B. Pierron [:nbp] 2012-07-24 18:01:36 PDT

I removed the security-sensitive flag because this bug is fixed before IonMonkey landing in inbound and it only affect IonMonkey.
Comment 7 User image David Anderson [:dvander] 2012-07-25 02:10:05 PDT
Backed out due to tbpl failures:
Comment 8 User image Nicolas B. Pierron [:nbp] 2012-07-26 11:45:28 PDT
Comment 9 User image Christian Holler (:decoder) 2013-01-14 08:00:45 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug776748.js.

Note You need to log in before you can comment on or make changes to this bug.