Closed Bug 800878 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: isScript() && !isIon(), at ../../vm/Stack.h:1785

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla19

People

(Reporter: decoder, Assigned: nbp)

Details

(Keywords: assertion, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update][ion:p1])

Attachments

(1 file, 1 obsolete file)

EvalInFrame, Check debug mode before iterating the stack.
1.20 KB, patch
luke
: review+
decoder
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision 1301a72b1c39 (run with --ion-eager):


[1,2,3,4,(':'),6,7,8].forEach(
    function(x) {
        assertEq(evalInFrame(0, ('^')), x);
    }
);
This is triggering quite often. I can delete the evalInFrame function but if it would be fixed that'd be even better :)
Whiteboard: [jsbugmon:update,bisect][fuzzblocker]
Testcase uses FastInvoke (for array.forEach), but it's unrelated, this one asserts too:

(function() {
    evalInFrame(0, 'x');
})();

The evalInFrame shell function assumes debug mode is enabled, but doesn't check for it.
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   109920:ebeca12019a2
user:        Nicolas B. Pierron
date:        Wed Oct 10 20:41:01 2012 -0700
summary:     Bug 797977 - Rename StackIter::fp() to StackIter::interpFrame(). r=luke

This iteration took 94.587 seconds to run.
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update][ion:p1]
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
As this is a shell function, the current patch limit it's usage to be used under valid use-cases as JSD is.  Skip this function in deterministic builds because there is no way to predict if a function will been ion-compiled in another run mode. Skip this function and forbids Ion compilation in non-deterministic builds.
Attachment #672155 - Flags: review?(luke)
Attachment #672155 - Flags: review?(choller)
Comment on attachment 672155 [details] [diff] [review]
Restrict EvalInFrame to prevent incorrect fuzzer results.

Review of attachment 672155 [details] [diff] [review]:
-----------------------------------------------------------------

With the patch and the test in comment 0 I get:

Assertion failure: InNoGCScope(), at ../../gc/Root.h:417
Attachment #672155 - Flags: review?(choller) → review-
Attachment #672155 - Flags: review?(luke) → review+
This should be better as it produce the same error message as the current function (when not ran with --ion-eager) and keep the assertion which ensure that not Ion frames are live when we are debugging.
Attachment #672512 - Flags: review?(luke)
Attachment #672512 - Flags: review?(choller)
Attachment #672155 - Attachment is obsolete: true
Comment on attachment 672512 [details] [diff] [review]
EvalInFrame, Check debug mode before iterating the stack.

Fix is working for me, thanks :)
Attachment #672512 - Flags: review?(choller) → review+
Comment on attachment 672512 [details] [diff] [review]
EvalInFrame, Check debug mode before iterating the stack.

Hah, I much prefer this strategy.
Attachment #672512 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/20c4309100e1
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: