Closed Bug 782083 Opened 7 years ago Closed 7 years ago

IonMonkey: Assertion failure: thing, at gc/Marking.cpp:87 or Opt-Crash [@ js::gc::MarkIonCodeRoot]

Categories

(Core :: JavaScript Engine, defect, major)

Other Branch
x86
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Assigned: dvander)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [ion:p1:fx18] [jsbugmon:update,ignore])

Attachments

(1 file)

The following testcase asserts on ionmonkey revision f1764bf06b29 (run with --ion -n -m --ion-eager):


gcPreserveCode();
function r() {}
gczeal(2);
evaluate("");
evaluate("\
function randomFloat () {\
    if (r < 0.25)\
        fac = 10000000;\
}\
for (var i = 0; i < 100000; i++)\
    randomFloat();\
");
Opt-Crash trace:


==4608== Invalid read of size 4
==4608==    at 0x82761D7: js::gc::MarkIonCodeRoot(JSTracer*, js::ion::IonCode**, char const*) (Heap.h:1011)
==4608==    by 0x832D8F0: js::ion::IonCompartment::mark(JSTracer*, JSCompartment*) (Ion.cpp:170)
==4608==    by 0x808EE74: JSCompartment::mark(JSTracer*) (jscompartment.cpp:460)
==4608==    by 0x80C5BA0: _ZN2jsL11MarkRuntimeEP8JSTracerb.clone.0 (jsgc.cpp:2612)
==4608==    by 0x80C6A2A: BeginMarkPhase(JSRuntime*) (jsgc.cpp:3322)
==4608==    by 0x80C7319: IncrementalCollectSlice(JSRuntime*, long long, js::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:3975)
==4608==    by 0x80C9E1B: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4186)
==4608==    by 0x80CA369: Collect(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4300)
==4608==    by 0x80CA5F5: js::gc::RunDebugGC(JSContext*) (jsgc.cpp:4597)
==4608==    by 0x8179680: js_NewGCString(JSContext*) (jsgcinlines.h:446)
==4608==    by 0x81796BD: js_NewString(JSContext*, unsigned short*, unsigned int) (String-inl.h:206)
==4608==    by 0x827DD4A: js::StringBuffer::finishString() (StringBuffer.cpp:63)
==4608==  Address 0x0 is not stack'd, malloc'd or (recently) free'd



S-s due to GC-related crash.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
Whiteboard: [jsbugmon:update][ion:p1:fx18] → [ion:p1:fx18] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision a8235a2a29c2).
A null crash or memory leak at worst.
Group: core-security
Attached patch fixSplinter Review
The marking of EnterJIT is based on whether or not we can prove it's on the callstack. Previously, that meant if any Ion code was running at all. After the JM->Ion inlining patch, we have to be a little more strict: EnterJIT is only on the call stack if the activation came from EnterIon.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #651589 - Flags: review?(jdemooij)
Attachment #651589 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/a1435f952ff1
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.