Closed Bug 805300 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ compartment] or [@ js::gc::MarkIonCodeRoot] with --enable-more-deterministic and --ion-licm=off

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 801831
Tracking Status
firefox16 --- unaffected
firefox17 --- unaffected
firefox18 --- unaffected
firefox19 - affected
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords, Whiteboard: [ion:p1])

Crash Data

Attachments

(2 files)

Attached file testcase
The attached testcase crashes js opt shell (with --enable-more-deterministic, does not occur without) on m-c changeset c4f3ea8eec81 with --ion-licm=off at compartment with js::gc::MarkIonCodeRoot on the stack. This seems to only happen with --enable-more-deterministic and --ion-licm=off, but locking just in case. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 110418:741fb7f8e5cb user: Terrence Cole date: Wed Sep 26 11:13:20 2012 -0700 summary: Bug 793577 - Implement Return<T> for direct returns of unrooted GC pointers; r=billm r=njn
We'll need a security rating before considering for tracking.
This stack looks rather busted, but it's an opt build, so this is expected. Valgrind, however, implicates the real root cause: we are attempting to mark a NULL IonCode while taking a bailout. I think this looks like an Ion bug: Sean and/or Nicolas, could you take a look?
That sounds a lot like the crash that was happening with Linux PGO in Aurora.
(In reply to Alex Keybl [:akeybl] from comment #2) > We'll need a security rating before considering for tracking. Assuming worse-case sec-critical especially since it involves --ion-licm=off until otherwise shown.
Keywords: sec-critical
This sounds like it could be a dupe of bug 801831? We're trying to mark a NULL enterJIT.
Whiteboard: [ion:p1]
Yes, it is likely a dupe. The patch in bug 801831 also fixes this. autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 111920:5c472c411ef3 user: Jan de Mooij date: Wed Oct 31 14:04:18 2012 +0100 summary: Bug 801831 - Don't mark EnterJIT thunk if it's NULL. r=dvander
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: