Closed
Bug 791122
Opened 12 years ago
Closed 12 years ago
"Assertion failure: footer()->ionCode() == ((IonCode *)0x1) || footer()->ionCode() == ((IonCode *)0x2)" with XMLHttpRequest
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla18
People
(Reporter: jruderman, Assigned: nbp)
Details
(Keywords: assertion, testcase)
Attachments
(2 files)
185 bytes,
text/html
|
Details | |
4.30 KB,
patch
|
efaust
:
review+
|
Details | Diff | Splinter Review |
With user_pref("javascript.options.methodjit.content", false); the testcase asserts within a few seconds: Assertion failure: footer()->ionCode() == ((IonCode *)0x1) || footer()->ionCode() == ((IonCode *)0x2), at js/src/ion/shared/IonFrames-x86-shared.h:179
Assignee | ||
Updated•12 years ago
|
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Assignee | ||
Comment 1•12 years ago
|
||
I can reproduce it on x64 Linux. Add Eric Faust in the CC list. Here is the backtrace: #5 0x00007f403ec948db in js::ion::IonExitFrameLayout::DOMExit (this=0x7fff4f3ae5e0) at /home/nicolas/mozilla/ionmonkey/js/src/ion/shared/IonFrames-x86-shared.h:178 #6 0x00007f403ec9611d in MarkIonExitFrame (trc=0x7f4027b02270, frame=...) at /home/nicolas/mozilla/ionmonkey/js/src/ion/IonFrames.cpp:520 #7 0x00007f403ec96432 in MarkIonActivation (trc=0x7f4027b02270, activations=...) at /home/nicolas/mozilla/ionmonkey/js/src/ion/IonFrames.cpp:590 #8 0x00007f403ec96544 in js::ion::MarkIonActivations (rt=0x7f4027b02000, trc=0x7f4027b02270) at /home/nicolas/mozilla/ionmonkey/js/src/ion/IonFrames.cpp:620 #9 0x00007f403e8f3ec8 in js::MarkRuntime (trc=0x7f4027b02270, useSavedRoots=false) at /home/nicolas/mozilla/ionmonkey/js/src/jsgc.cpp:2613 #10 0x00007f403e8f6489 in BeginMarkPhase (rt=0x7f4027b02000) at /home/nicolas/mozilla/ionmonkey/js/src/jsgc.cpp:3437 #11 0x00007f403e8f974a in IncrementalCollectSlice (rt=0x7f4027b02000, budget=10000, reason=js::gcreason::PAGE_HIDE, gckind=js::GC_NORMAL) at /home/nicolas/mozilla/ionmonkey/js/src/jsgc.cpp:4308 #12 0x00007f403e8f9f7e in GCCycle (rt=0x7f4027b02000, incremental=true, budget=10000, gckind=js::GC_NORMAL, reason=js::gcreason::PAGE_HIDE) at /home/nicolas/mozilla/ionmonkey/js/src/jsgc.cpp:4529 #13 0x00007f403e8fa446 in Collect (rt=0x7f4027b02000, incremental=true, budget=10000, gckind=js::GC_NORMAL, reason=js::gcreason::PAGE_HIDE) at /home/nicolas/mozilla/ionmonkey/js/src/jsgc.cpp:4643 #14 0x00007f403e8fa633 in js::GCSlice (rt=0x7f4027b02000, gckind=js::GC_NORMAL, reason=js::gcreason::PAGE_HIDE, millis=0) at /home/nicolas/mozilla/ionmonkey/js/src/jsgc.cpp:4681 #15 0x00007f403e8dd3c7 in js::IncrementalGC (rt=0x7f4027b02000, reason=js::gcreason::PAGE_HIDE, millis=0) at /home/nicolas/mozilla/ionmonkey/js/src/jsfriendapi.cpp:171 #16 0x00007f403cea5216 in nsJSContext::GarbageCollectNow (aReason=js::gcreason::PAGE_HIDE, aIncremental=nsJSContext::IncrementalGC, aCompartment=nsJSContext::CompartmentGC, aShrinking=nsJSContext::NonShrinkingGC, aSliceMillis=0) at /home/nicolas/mozilla/ionmonkey/dom/base/nsJSEnvironment.cpp:2963 #17 0x00007f403cea5ea3 in GCTimerFired (aTimer=0x7f401713be60, aClosure=0x12) at /home/nicolas/mozilla/ionmonkey/dom/base/nsJSEnvironment.cpp:3227 #18 0x00007f403de4d7ec in nsTimerImpl::Fire (this=0x7f401713be60) at /home/nicolas/mozilla/ionmonkey/xpcom/threads/nsTimerImpl.cpp:473 #19 0x00007f403de4dc21 in nsTimerEvent::Run (this=0x7f402b560308) at /home/nicolas/mozilla/ionmonkey/xpcom/threads/nsTimerImpl.cpp:556 #20 0x00007f403de458b6 in nsThread::ProcessNextEvent (this=0x7f4041caba10, mayWait=true, result=0x7fff4f3adcdf) at /home/nicolas/mozilla/ionmonkey/xpcom/threads/nsThread.cpp:624 #21 0x00007f403ddd6172 in NS_ProcessNextEvent_P (thread=0x7f4041caba10, mayWait=true) at /home/nicolas/mozilla/ionmonkey/_build/master/x64/gcc45/dbg/xpcom/build/nsThreadUtils.cpp:220 #22 0x00007f403cb2db98 in nsXMLHttpRequest::Send (this=0x7f4012a7dc00, aVariant=0x0, aBody=...) at /home/nicolas/mozilla/ionmonkey/content/base/src/nsXMLHttpRequest.cpp:3031 #23 0x00007f403dd7fd93 in nsXMLHttpRequest::Send (this=0x7f4012a7dc00, aBody=...) at /home/nicolas/mozilla/ionmonkey/content/base/src/nsXMLHttpRequest.h:346 #24 0x00007f403dd7fe03 in nsXMLHttpRequest::Send (this=0x7f4012a7dc00, aRv=...) at /home/nicolas/mozilla/ionmonkey/content/base/src/nsXMLHttpRequest.h:356 #25 0x00007f403dd8101d in mozilla::dom::XMLHttpRequestBinding::send (cx=0x7f40199ad0d0, obj=..., self=0x7f4012a7dc00, argc=0, vp=0x7fff4f3ae600) at /home/nicolas/mozilla/ionmonkey/_build/master/x64/gcc45/dbg/dom/bindings/XMLHttpRequestBinding.cpp:440 #26 0x00007f4029aabb31 in ?? ()
Assignee | ||
Comment 2•12 years ago
|
||
Attachment #661822 -
Flags: review?(efaustbmo)
Comment 3•12 years ago
|
||
Comment on attachment 661822 [details] [diff] [review] Fix Bogus assertion while marking DOM method exit frame. Review of attachment 661822 [details] [diff] [review]: ----------------------------------------------------------------- Looks good. Thanks. ::: js/src/ion/arm/IonFrames-arm.h @@ +195,5 @@ > + inline bool isDomExit() { > + return > + footer()->ionCode() == ION_FRAME_DOMGETTER || > + footer()->ionCode() == ION_FRAME_DOMSETTER || > + footer()->ionCode() == ION_FRAME_DOMMETHOD; Is there any reasons for the stylistic discrepancy here between this and the x86-shared version? Not that it matters, just mildly surprising.
Attachment #661822 -
Flags: review?(efaustbmo) → review+
Assignee | ||
Comment 4•12 years ago
|
||
(In reply to Eric Faust [:efaust] from comment #3) > Comment on attachment 661822 [details] [diff] [review] > Fix Bogus assertion while marking DOM method exit frame. > > Review of attachment 661822 [details] [diff] [review]: > ----------------------------------------------------------------- > > Looks good. Thanks. > > ::: js/src/ion/arm/IonFrames-arm.h > @@ +195,5 @@ > > + inline bool isDomExit() { > > + return > > + footer()->ionCode() == ION_FRAME_DOMGETTER || > > + footer()->ionCode() == ION_FRAME_DOMSETTER || > > + footer()->ionCode() == ION_FRAME_DOMMETHOD; > > Is there any reasons for the stylistic discrepancy here between this and the > x86-shared version? Not that it matters, just mildly surprising. No, I just forgot to update the ARM version, I will do so and push it.
Assignee | ||
Comment 5•12 years ago
|
||
Remove s-s, this assertion was bogus and it does not affect optimized builds. No security risk in the current test. https://hg.mozilla.org/integration/mozilla-inbound/rev/fee9427c15c8
Group: core-security
Comment 6•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/fee9427c15c8
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
You need to log in
before you can comment on or make changes to this bug.
Description
•