Closed Bug 779328 Opened 9 years ago Closed 9 years ago

IonMonkey: "Assertion failure: !aheader->hasFreeThings(),"

Categories

(Core :: JavaScript Engine, defect)

Other Branch
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
firefox17 --- unaffected
firefox-esr10 --- unaffected

People

(Reporter: gkw, Assigned: dvander)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker][ion:p1:fx18])

Attachments

(3 files, 1 obsolete file)

Attached file stack from Windows 7 (obsolete) —
The upcoming attached testcase asserts js debug shell on IonMonkey changeset b46621aba6fd without any CLI arguments at Assertion failure: !aheader->hasFreeThings(),

Setting s-s because gc is on the stack.
Attached file stack from Windows 7
Attachment #647717 - Attachment is obsolete: true
Seeing this as well, but tests a hard to reduce. I'll try to come up with a smaller one, but I don't think it's going to work well.
dvander has mentioned that this seems to be the same cause as an intermittent orange as well - also setting [fuzzblocker] as well.
OS: Windows 7 → All
Hardware: x86 → All
Whiteboard: [fuzzblocker]
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #3)
> Not-so-small regression window:
> 
> http://hg.mozilla.org/projects/ionmonkey/
> pushloghtml?fromchange=23a84dbb258f&tochange=b46621aba6fd

Here's a slightly smaller regression window:

http://hg.mozilla.org/projects/ionmonkey/pushloghtml?fromchange=23a84dbb258f&tochange=08187a7ea897
Whiteboard: [fuzzblocker] → [fuzzblocker][ion:p1:fx18]
I have a fix for this but I don't understand why it works. It seems like it might be unsafe to call AutoCopyFreelistsToArenas from ResetIncrementalGC, if ResetIncrementalGC was not called from BudgetIncremental. Need to talk to Bill tomorrow.
Attached patch fixSplinter Review
Bill explained the problem and suggested this fix. The problem is that the code right under the current placement of AutoCopyFreeListToArenas can GC, which can nest instances of this RAII object, which is not legal. The fix is to just move it down a bit.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #648064 - Flags: review?(wmccloskey)
Attachment #648064 - Flags: review?(wmccloskey) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/6d6f1ce4c9f9
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.