IonMonkey: Crash [@ compartment] or [@ js::gc::MarkIonCodeRoot] with --enable-more-deterministic and --ion-licm=off

RESOLVED DUPLICATE of bug 801831

Status

()

--
critical
RESOLVED DUPLICATE of bug 801831
6 years ago
4 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86_64
Linux
crash, regression, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox16 unaffected, firefox17 unaffected, firefox18 unaffected, firefox19- affected, firefox-esr10 unaffected, firefox-esr17 unaffected)

Details

(Whiteboard: [ion:p1], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 674928 [details]
testcase

The attached testcase crashes js opt shell (with --enable-more-deterministic, does not occur without) on m-c changeset c4f3ea8eec81 with --ion-licm=off at compartment with js::gc::MarkIonCodeRoot on the stack.

This seems to only happen with --enable-more-deterministic and --ion-licm=off, but locking just in case.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   110418:741fb7f8e5cb
user:        Terrence Cole
date:        Wed Sep 26 11:13:20 2012 -0700
summary:     Bug 793577 - Implement Return<T> for direct returns of unrooted GC pointers; r=billm r=njn
(Reporter)

Comment 1

6 years ago
Created attachment 674929 [details]
stack
We'll need a security rating before considering for tracking.
This stack looks rather busted, but it's an opt build, so this is expected.  Valgrind, however, implicates the real root cause: we are attempting to mark a NULL IonCode while taking a bailout.  I think this looks like an Ion bug: Sean and/or Nicolas, could you take a look?
That sounds a lot like the crash that was happening with Linux PGO in Aurora.
(Reporter)

Comment 5

6 years ago
(In reply to Alex Keybl [:akeybl] from comment #2)
> We'll need a security rating before considering for tracking.

Assuming worse-case sec-critical especially since it involves --ion-licm=off until otherwise shown.
Keywords: sec-critical
This sounds like it could be a dupe of bug 801831? We're trying to mark a NULL enterJIT.
Whiteboard: [ion:p1]
(Reporter)

Comment 7

6 years ago
Yes, it is likely a dupe. The patch in bug 801831 also fixes this.

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   111920:5c472c411ef3
user:        Jan de Mooij
date:        Wed Oct 31 14:04:18 2012 +0100
summary:     Bug 801831 - Don't mark EnterJIT thunk if it's NULL. r=dvander
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Flags: in-testsuite?
Resolution: --- → DUPLICATE
Duplicate of bug: 801831
tracking-firefox19: ? → -
Group: core-security
You need to log in before you can comment on or make changes to this bug.