Created attachment 674928 [details] testcase The attached testcase crashes js opt shell (with --enable-more-deterministic, does not occur without) on m-c changeset c4f3ea8eec81 with --ion-licm=off at compartment with js::gc::MarkIonCodeRoot on the stack. This seems to only happen with --enable-more-deterministic and --ion-licm=off, but locking just in case. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 110418:741fb7f8e5cb user: Terrence Cole date: Wed Sep 26 11:13:20 2012 -0700 summary: Bug 793577 - Implement Return<T> for direct returns of unrooted GC pointers; r=billm r=njn
We'll need a security rating before considering for tracking.
This stack looks rather busted, but it's an opt build, so this is expected. Valgrind, however, implicates the real root cause: we are attempting to mark a NULL IonCode while taking a bailout. I think this looks like an Ion bug: Sean and/or Nicolas, could you take a look?
That sounds a lot like the crash that was happening with Linux PGO in Aurora.
(In reply to Alex Keybl [:akeybl] from comment #2) > We'll need a security rating before considering for tracking. Assuming worse-case sec-critical especially since it involves --ion-licm=off until otherwise shown.
This sounds like it could be a dupe of bug 801831? We're trying to mark a NULL enterJIT.
Yes, it is likely a dupe. The patch in bug 801831 also fixes this. autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 111920:5c472c411ef3 user: Jan de Mooij date: Wed Oct 31 14:04:18 2012 +0100 summary: Bug 801831 - Don't mark EnterJIT thunk if it's NULL. r=dvander
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 801831
You need to log in before you can comment on or make changes to this bug.