The default bug view has changed. See this FAQ.

IonMonkey: Assertion failure: thing, at gc/Marking.cpp:87 or Opt-Crash [@ js::gc::MarkIonCodeRoot]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
major
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Assigned: dvander)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Other Branch
x86
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ion:p1:fx18] [jsbugmon:update,ignore])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase asserts on ionmonkey revision f1764bf06b29 (run with --ion -n -m --ion-eager):


gcPreserveCode();
function r() {}
gczeal(2);
evaluate("");
evaluate("\
function randomFloat () {\
    if (r < 0.25)\
        fac = 10000000;\
}\
for (var i = 0; i < 100000; i++)\
    randomFloat();\
");
(Reporter)

Comment 1

5 years ago
Opt-Crash trace:


==4608== Invalid read of size 4
==4608==    at 0x82761D7: js::gc::MarkIonCodeRoot(JSTracer*, js::ion::IonCode**, char const*) (Heap.h:1011)
==4608==    by 0x832D8F0: js::ion::IonCompartment::mark(JSTracer*, JSCompartment*) (Ion.cpp:170)
==4608==    by 0x808EE74: JSCompartment::mark(JSTracer*) (jscompartment.cpp:460)
==4608==    by 0x80C5BA0: _ZN2jsL11MarkRuntimeEP8JSTracerb.clone.0 (jsgc.cpp:2612)
==4608==    by 0x80C6A2A: BeginMarkPhase(JSRuntime*) (jsgc.cpp:3322)
==4608==    by 0x80C7319: IncrementalCollectSlice(JSRuntime*, long long, js::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:3975)
==4608==    by 0x80C9E1B: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4186)
==4608==    by 0x80CA369: Collect(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4300)
==4608==    by 0x80CA5F5: js::gc::RunDebugGC(JSContext*) (jsgc.cpp:4597)
==4608==    by 0x8179680: js_NewGCString(JSContext*) (jsgcinlines.h:446)
==4608==    by 0x81796BD: js_NewString(JSContext*, unsigned short*, unsigned int) (String-inl.h:206)
==4608==    by 0x827DD4A: js::StringBuffer::finishString() (StringBuffer.cpp:63)
==4608==  Address 0x0 is not stack'd, malloc'd or (recently) free'd



S-s due to GC-related crash.
(Assignee)

Updated

5 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update][ion:p1:fx18] → [ion:p1:fx18] [jsbugmon:update,ignore]
(Reporter)

Comment 2

5 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision a8235a2a29c2).
(Assignee)

Comment 3

5 years ago
A null crash or memory leak at worst.
Group: core-security
(Assignee)

Comment 4

5 years ago
Created attachment 651589 [details] [diff] [review]
fix

The marking of EnterJIT is based on whether or not we can prove it's on the callstack. Previously, that meant if any Ion code was running at all. After the JM->Ion inlining patch, we have to be a little more strict: EnterJIT is only on the call stack if the activation came from EnterIon.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #651589 - Flags: review?(jdemooij)

Updated

5 years ago
Attachment #651589 - Flags: review?(jdemooij) → review+
(Assignee)

Comment 5

5 years ago
https://hg.mozilla.org/projects/ionmonkey/rev/a1435f952ff1
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 6

4 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.