If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

"Assertion failure: footer()->ionCode() == ((IonCode *)0x1) || footer()->ionCode() == ((IonCode *)0x2)" with XMLHttpRequest

RESOLVED FIXED in mozilla18

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Jesse Ruderman, Assigned: nbp)

Tracking

({assertion, testcase})

Trunk
mozilla18
x86_64
Mac OS X
assertion, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 661034 [details]
testcase

With
  user_pref("javascript.options.methodjit.content", false);
the testcase asserts within a few seconds:

Assertion failure: footer()->ionCode() == ((IonCode *)0x1) || footer()->ionCode() == ((IonCode *)0x2), at js/src/ion/shared/IonFrames-x86-shared.h:179
(Assignee)

Updated

5 years ago
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
(Assignee)

Comment 1

5 years ago
I can reproduce it on x64 Linux.
Add Eric Faust in the CC list.

Here is the backtrace:
#5  0x00007f403ec948db in js::ion::IonExitFrameLayout::DOMExit (this=0x7fff4f3ae5e0) at /home/nicolas/mozilla/ionmonkey/js/src/ion/shared/IonFrames-x86-shared.h:178
#6  0x00007f403ec9611d in MarkIonExitFrame (trc=0x7f4027b02270, frame=...) at /home/nicolas/mozilla/ionmonkey/js/src/ion/IonFrames.cpp:520
#7  0x00007f403ec96432 in MarkIonActivation (trc=0x7f4027b02270, activations=...) at /home/nicolas/mozilla/ionmonkey/js/src/ion/IonFrames.cpp:590
#8  0x00007f403ec96544 in js::ion::MarkIonActivations (rt=0x7f4027b02000, trc=0x7f4027b02270) at /home/nicolas/mozilla/ionmonkey/js/src/ion/IonFrames.cpp:620
#9  0x00007f403e8f3ec8 in js::MarkRuntime (trc=0x7f4027b02270, useSavedRoots=false) at /home/nicolas/mozilla/ionmonkey/js/src/jsgc.cpp:2613
#10 0x00007f403e8f6489 in BeginMarkPhase (rt=0x7f4027b02000) at /home/nicolas/mozilla/ionmonkey/js/src/jsgc.cpp:3437
#11 0x00007f403e8f974a in IncrementalCollectSlice (rt=0x7f4027b02000, budget=10000, reason=js::gcreason::PAGE_HIDE, gckind=js::GC_NORMAL) at /home/nicolas/mozilla/ionmonkey/js/src/jsgc.cpp:4308
#12 0x00007f403e8f9f7e in GCCycle (rt=0x7f4027b02000, incremental=true, budget=10000, gckind=js::GC_NORMAL, reason=js::gcreason::PAGE_HIDE) at /home/nicolas/mozilla/ionmonkey/js/src/jsgc.cpp:4529
#13 0x00007f403e8fa446 in Collect (rt=0x7f4027b02000, incremental=true, budget=10000, gckind=js::GC_NORMAL, reason=js::gcreason::PAGE_HIDE) at /home/nicolas/mozilla/ionmonkey/js/src/jsgc.cpp:4643
#14 0x00007f403e8fa633 in js::GCSlice (rt=0x7f4027b02000, gckind=js::GC_NORMAL, reason=js::gcreason::PAGE_HIDE, millis=0) at /home/nicolas/mozilla/ionmonkey/js/src/jsgc.cpp:4681
#15 0x00007f403e8dd3c7 in js::IncrementalGC (rt=0x7f4027b02000, reason=js::gcreason::PAGE_HIDE, millis=0) at /home/nicolas/mozilla/ionmonkey/js/src/jsfriendapi.cpp:171
#16 0x00007f403cea5216 in nsJSContext::GarbageCollectNow (aReason=js::gcreason::PAGE_HIDE, aIncremental=nsJSContext::IncrementalGC, aCompartment=nsJSContext::CompartmentGC, aShrinking=nsJSContext::NonShrinkingGC, aSliceMillis=0)
    at /home/nicolas/mozilla/ionmonkey/dom/base/nsJSEnvironment.cpp:2963
#17 0x00007f403cea5ea3 in GCTimerFired (aTimer=0x7f401713be60, aClosure=0x12) at /home/nicolas/mozilla/ionmonkey/dom/base/nsJSEnvironment.cpp:3227
#18 0x00007f403de4d7ec in nsTimerImpl::Fire (this=0x7f401713be60) at /home/nicolas/mozilla/ionmonkey/xpcom/threads/nsTimerImpl.cpp:473
#19 0x00007f403de4dc21 in nsTimerEvent::Run (this=0x7f402b560308) at /home/nicolas/mozilla/ionmonkey/xpcom/threads/nsTimerImpl.cpp:556
#20 0x00007f403de458b6 in nsThread::ProcessNextEvent (this=0x7f4041caba10, mayWait=true, result=0x7fff4f3adcdf) at /home/nicolas/mozilla/ionmonkey/xpcom/threads/nsThread.cpp:624
#21 0x00007f403ddd6172 in NS_ProcessNextEvent_P (thread=0x7f4041caba10, mayWait=true) at /home/nicolas/mozilla/ionmonkey/_build/master/x64/gcc45/dbg/xpcom/build/nsThreadUtils.cpp:220
#22 0x00007f403cb2db98 in nsXMLHttpRequest::Send (this=0x7f4012a7dc00, aVariant=0x0, aBody=...) at /home/nicolas/mozilla/ionmonkey/content/base/src/nsXMLHttpRequest.cpp:3031
#23 0x00007f403dd7fd93 in nsXMLHttpRequest::Send (this=0x7f4012a7dc00, aBody=...) at /home/nicolas/mozilla/ionmonkey/content/base/src/nsXMLHttpRequest.h:346
#24 0x00007f403dd7fe03 in nsXMLHttpRequest::Send (this=0x7f4012a7dc00, aRv=...) at /home/nicolas/mozilla/ionmonkey/content/base/src/nsXMLHttpRequest.h:356
#25 0x00007f403dd8101d in mozilla::dom::XMLHttpRequestBinding::send (cx=0x7f40199ad0d0, obj=..., self=0x7f4012a7dc00, argc=0, vp=0x7fff4f3ae600) at /home/nicolas/mozilla/ionmonkey/_build/master/x64/gcc45/dbg/dom/bindings/XMLHttpRequestBinding.cpp:440
#26 0x00007f4029aabb31 in ?? ()
(Assignee)

Comment 2

5 years ago
Created attachment 661822 [details] [diff] [review]
Fix Bogus assertion while marking DOM method exit frame.
Attachment #661822 - Flags: review?(efaustbmo)

Comment 3

5 years ago
Comment on attachment 661822 [details] [diff] [review]
Fix Bogus assertion while marking DOM method exit frame.

Review of attachment 661822 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good. Thanks.

::: js/src/ion/arm/IonFrames-arm.h
@@ +195,5 @@
> +    inline bool isDomExit() {
> +        return
> +            footer()->ionCode() == ION_FRAME_DOMGETTER ||
> +            footer()->ionCode() == ION_FRAME_DOMSETTER ||
> +            footer()->ionCode() == ION_FRAME_DOMMETHOD;

Is there any reasons for the stylistic discrepancy here between this and the x86-shared version? Not that it matters, just mildly surprising.
Attachment #661822 - Flags: review?(efaustbmo) → review+
(Assignee)

Comment 4

5 years ago
(In reply to Eric Faust [:efaust] from comment #3)
> Comment on attachment 661822 [details] [diff] [review]
> Fix Bogus assertion while marking DOM method exit frame.
> 
> Review of attachment 661822 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> Looks good. Thanks.
> 
> ::: js/src/ion/arm/IonFrames-arm.h
> @@ +195,5 @@
> > +    inline bool isDomExit() {
> > +        return
> > +            footer()->ionCode() == ION_FRAME_DOMGETTER ||
> > +            footer()->ionCode() == ION_FRAME_DOMSETTER ||
> > +            footer()->ionCode() == ION_FRAME_DOMMETHOD;
> 
> Is there any reasons for the stylistic discrepancy here between this and the
> x86-shared version? Not that it matters, just mildly surprising.

No, I just forgot to update the ARM version, I will do so and push it.
(Assignee)

Comment 5

5 years ago
Remove s-s, this assertion was bogus and it does not affect optimized builds.  No security risk in the current test.

https://hg.mozilla.org/integration/mozilla-inbound/rev/fee9427c15c8
Group: core-security
https://hg.mozilla.org/mozilla-central/rev/fee9427c15c8
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
You need to log in before you can comment on or make changes to this bug.