Closed
Bug 805300
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ compartment] or [@ js::gc::MarkIonCodeRoot] with --enable-more-deterministic and --ion-licm=off
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 801831
Tracking | Status | |
---|---|---|
firefox16 | --- | unaffected |
firefox17 | --- | unaffected |
firefox18 | --- | unaffected |
firefox19 | - | affected |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [ion:p1])
Crash Data
Attachments
(2 files)
The attached testcase crashes js opt shell (with --enable-more-deterministic, does not occur without) on m-c changeset c4f3ea8eec81 with --ion-licm=off at compartment with js::gc::MarkIonCodeRoot on the stack.
This seems to only happen with --enable-more-deterministic and --ion-licm=off, but locking just in case.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 110418:741fb7f8e5cb
user: Terrence Cole
date: Wed Sep 26 11:13:20 2012 -0700
summary: Bug 793577 - Implement Return<T> for direct returns of unrooted GC pointers; r=billm r=njn
Reporter | ||
Comment 1•12 years ago
|
||
Comment 2•12 years ago
|
||
We'll need a security rating before considering for tracking.
Comment 3•12 years ago
|
||
This stack looks rather busted, but it's an opt build, so this is expected. Valgrind, however, implicates the real root cause: we are attempting to mark a NULL IonCode while taking a bailout. I think this looks like an Ion bug: Sean and/or Nicolas, could you take a look?
That sounds a lot like the crash that was happening with Linux PGO in Aurora.
Reporter | ||
Comment 5•12 years ago
|
||
(In reply to Alex Keybl [:akeybl] from comment #2)
> We'll need a security rating before considering for tracking.
Assuming worse-case sec-critical especially since it involves --ion-licm=off until otherwise shown.
Keywords: sec-critical
This sounds like it could be a dupe of bug 801831? We're trying to mark a NULL enterJIT.
Whiteboard: [ion:p1]
Reporter | ||
Comment 7•12 years ago
|
||
Yes, it is likely a dupe. The patch in bug 801831 also fixes this.
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: 111920:5c472c411ef3
user: Jan de Mooij
date: Wed Oct 31 14:04:18 2012 +0100
summary: Bug 801831 - Don't mark EnterJIT thunk if it's NULL. r=dvander
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → DUPLICATE
Updated•12 years ago
|
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•