Closed
Bug 780274
Opened 12 years ago
Closed 12 years ago
JM/IonMonkey: Crash [@ js::mjit::EnterMethodJIT] or "Assertion failure: info.isValid(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla17
Tracking | Status | |
---|---|---|
firefox17 | --- | affected |
firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: nbp)
References
Details
(5 keywords, Whiteboard: [ion:p1:fx18])
Crash Data
Attachments
(3 files, 2 obsolete files)
The attached testcase asserts js debug shell on IonMonkey changeset b457b592f609 with --no-ion and -a at Assertion failure: info.isValid(), Pretty sure this is a regression (not bisecting because the fragile testcase won't give accurate results), s-s because there seems to be a schedulegc call in the testcase. Bug 779124 is similar but the testcase there seems to no longer reproduce.
Reporter | ||
Comment 1•12 years ago
|
||
(I assigned it to Nicolas at his request) These are stacks from debug and opt shells.
Reporter | ||
Comment 2•12 years ago
|
||
Also assuming sec-critical.
Crash Signature: [@ js::mjit::EnterMethodJIT]
Keywords: crash,
sec-critical
Summary: IonMonkey: "Assertion failure: info.isValid()," → IonMonkey: Crash [@ js::mjit::EnterMethodJIT] or "Assertion failure: info.isValid(),"
Updated•12 years ago
|
Whiteboard: [ion:p1:fx18]
Assignee | ||
Comment 3•12 years ago
|
||
This patch add forgotten free-rules.
Attachment #649464 -
Flags: review?(dvander)
Assignee | ||
Comment 4•12 years ago
|
||
This bug affect both ff17 and IonMonkey. I will port the current patch on top of mozilla-central.
Depends on: 772509
Assignee | ||
Updated•12 years ago
|
Attachment #649464 -
Flags: review?(dvander) → review?(bhackett1024)
Assignee | ||
Updated•12 years ago
|
Comment 6•12 years ago
|
||
Comment on attachment 649464 [details] [diff] [review] Invalidate & Remove pending compilation when sweeping. Review of attachment 649464 [details] [diff] [review]: ----------------------------------------------------------------- What is the problem here, and how does this patch fix it? This logic looks like it should belong somewhere else; I don't think any direct changes to compartment sweeping should be necessary.
Assignee | ||
Comment 7•12 years ago
|
||
(In reply to Brian Hackett (:bhackett) from comment #6) > Comment on attachment 649464 [details] [diff] [review] > Invalidate & Remove pending compilation when sweeping. > > Review of attachment 649464 [details] [diff] [review]: > ----------------------------------------------------------------- > > What is the problem here, and how does this patch fix it? This logic looks > like it should belong somewhere else; I don't think any direct changes to > compartment sweeping should be necessary. One of the option would to move that to the discardJitCode function. And instead of iterating on CellIterUnderGC we can just iterate on the list of CompilerOutput and invalidate all of them at the same time.
Assignee | ||
Comment 8•12 years ago
|
||
± Move the sweeping of the compiler outputs and of pending recompilations to the sweepCompilerOutputs function and call it from the discardJitCode function.
Attachment #649464 -
Attachment is obsolete: true
Attachment #649464 -
Flags: review?(bhackett1024)
Attachment #649816 -
Flags: review?(bhackett1024)
Updated•12 years ago
|
status-firefox17:
--- → affected
Comment 9•12 years ago
|
||
Comment on attachment 649816 [details] [diff] [review] Invalidate & Remove pending compilation when sweeping. Review of attachment 649816 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsinfer.cpp @@ +5733,5 @@ > + fop->delete_(constrainedOutputs); > + constrainedOutputs = NULL; > + } else { > + // A Compilation is running and the AutoEnterCompilation class has > + // captured an index into the constrainted ouputs vector and typos
Attachment #649816 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 10•12 years ago
|
||
Comment on attachment 649816 [details] [diff] [review] Invalidate & Remove pending compilation when sweeping. https://hg.mozilla.org/integration/mozilla-inbound/rev/b6319530d74c inbound https://hg.mozilla.org/projects/ionmonkey/rev/8c33b71cce49 ionmonkey
Attachment #649816 -
Flags: checkin+
Assignee | ||
Comment 11•12 years ago
|
||
This modifications coming from patch made for Bug 777537 should avoid the error which appear when the script is garbage collected and we assert for the valididty of the script by reading from the JSScript.
Attachment #650676 -
Flags: review?(bhackett1024)
Comment 12•12 years ago
|
||
Adding the JM to the name so we don't just ignore this in security triage.
Summary: IonMonkey: Crash [@ js::mjit::EnterMethodJIT] or "Assertion failure: info.isValid()," → JM/IonMonkey: Crash [@ js::mjit::EnterMethodJIT] or "Assertion failure: info.isValid(),"
Updated•12 years ago
|
Attachment #650676 -
Flags: review?(bhackett1024) → review+
Comment 13•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b6319530d74c
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Updated•12 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 14•12 years ago
|
||
The latest patch cause more additional issues while checking the assertions. Bug 777537 will bring the necessary fixes to avoid any dangling pointers. Closing this Bug since it has already landed on central and that the latest patch cannot apply on inbound/central without plenty of issues in the test suite.
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 17•12 years ago
|
||
Comment on attachment 650676 [details] [diff] [review] Avoid keeping a danling pointer to a script after a sweep phase. Should this patch now be obsoleted.
Assignee | ||
Comment 18•12 years ago
|
||
Comment on attachment 650676 [details] [diff] [review] Avoid keeping a danling pointer to a script after a sweep phase. This patch is obsolete because Bug 777537 provide a better solution.
Attachment #650676 -
Attachment is obsolete: true
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Comment 19•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•