The default bug view has changed. See this FAQ.

IonMonkey: Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:826

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
major
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Other Branch
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update][ion:p1:fx18])

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

5 years ago
The following testcase asserts on ionmonkey revision 23a84dbb258f (run with --ion -n -m):


gcPreserveCode();
string_split( "hello", "ll" );
function string_split ( __this, R) {
  var S = String(__this );
    var q = 0;
  while (true ) {
    z = SplitMatch(R, S, q);
    q = q + ('abc');
  }
}
function SplitMatch(R, S, q) {
  if (R.constructor == RegExp)
    a = new Array(reResult.length - 1);
  var r = R.length;
  s = S.length;
  if ((q + r) > s) 
    return false;
  for (var i = 0; i < r; i++) {}
}
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
(Assignee)

Updated

5 years ago
Assignee: general → jdemooij
Status: NEW → ASSIGNED
(Assignee)

Comment 1

5 years ago
Created attachment 647187 [details] [diff] [review]
Patch

The safepoint contained a bogus GC argument slot due to CallConstructor not popping the |this| value slot. Note that all other callers of dropArguments also add 1.

I tried to add the testcase but couldn't get it to run fast enough so I decided not to add it.
Attachment #647187 - Flags: review?(dvander)
(Assignee)

Comment 2

5 years ago
Created attachment 647208 [details] [diff] [review]
Patch

Updated patch to assert that pushedArgumentSlots_ is empty after codegen, to catch similar bugs in the future.
Attachment #647187 - Attachment is obsolete: true
Attachment #647187 - Flags: review?(dvander)
Attachment #647208 - Flags: review?(dvander)
Comment on attachment 647208 [details] [diff] [review]
Patch

Review of attachment 647208 [details] [diff] [review]:
-----------------------------------------------------------------

the assert is invalid because calls could nest - r=me other than that
Attachment #647208 - Flags: review?(dvander) → review+
Whoops sorry I misread context - assert is fine.
(Assignee)

Comment 5

5 years ago
https://hg.mozilla.org/projects/ionmonkey/rev/75f02a17f7cd
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Updated

5 years ago
Group: core-security
You need to log in before you can comment on or make changes to this bug.