Closed
Bug 808067
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: needsBarrier_, at ../../jscompartment.h:185
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla19
Tracking | Status | |
---|---|---|
firefox17 | --- | unaffected |
firefox18 | + | fixed |
firefox19 | + | fixed |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
People
(Reporter: decoder, Assigned: billm)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update][adv-main18-])
Attachments
(2 files)
1.67 KB,
patch
|
sstangl
:
review+
bajaj
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
958 bytes,
patch
|
jonco
:
review+
bajaj
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 556b9cfb269f (run with --ion-eager): function TestCase(n, d, e, a) this.reason = ''; function reportCompare (expected, actual, description) { var output = ""; var testcase = new TestCase("unknown-test-name", description, expected, actual); testcase.reason = output; } gcPreserveCode(); var summary = 'return with argument and lazy generator detection'; expect = "generator function foo returns a value"; actual = (function (j) {}).message; reportCompare(expect, actual, summary + ": 1"); reportCompare(expect, actual, summary + ": 2"); gcslice(0); gcslice(1); gc(); var strings = [ (0), ]; for (var i = 0; i < strings.length; i++) reportCompare(expect, actual, summary + (5e1) + strings[i]);
Reporter | ||
Comment 1•12 years ago
|
||
S-s until investigated because this is GC related.
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
Assignee | ||
Updated•12 years ago
|
Assignee: general → wmccloskey
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 2•12 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 112050:23eb7d58bf90 user: Bill McCloskey date: Thu Nov 01 08:08:21 2012 -0700 summary: Bug 807535 - Avoid toggling Ion write barrier too often (r=sstangl) This iteration took 93.383 seconds to run.
Assignee | ||
Comment 5•12 years ago
|
||
I assumed that ResetIncrementalGC didn't need to update the Ion barriers because it would be done when we finished the GC. However, after ResetIncremental GC, we'll start a new GC that might be over a different set of compartments. So we do need to update the barriers here.
Attachment #677890 -
Flags: review?(sstangl)
Updated•12 years ago
|
Blocks: 807913
status-firefox19:
--- → affected
tracking-firefox19:
--- → ?
Keywords: regression,
sec-critical
Comment 6•12 years ago
|
||
Setting sec-critical because this sounds kind of bad. Feel free to adjust as needed.
Assignee | ||
Comment 7•12 years ago
|
||
I found a related bug here as well. When we execute AutoGCSlice::~AutoGCSlice in the last GC slice, all the compartments have had their states set to NoGC. Therefore, GCCompartmentsIter won't find anything and so we won't disable write barriers anywhere. In practice I don't think this affects prior releases because we always disable barriers at the beginning of a slice. However, with the patch in bug 807535, it causes problems for IonMonkey. We can just iterate over all compartments here and everything should be fine, I think.
Attachment #677897 -
Flags: review?
Assignee | ||
Updated•12 years ago
|
Attachment #677897 -
Flags: review? → review?(jcoppeard)
Updated•12 years ago
|
Attachment #677890 -
Flags: review?(sstangl) → review+
Updated•12 years ago
|
Updated•12 years ago
|
Attachment #677897 -
Flags: review?(jcoppeard) → review+
Comment 8•12 years ago
|
||
These patches will require nominations for sec-approval.
Comment 9•12 years ago
|
||
reproduced on Assertion failure: *ptr == 0x3D, with Nightly/19 Windows 7 on http://www.myshared.ru/slide/154048/
Assignee | ||
Comment 11•12 years ago
|
||
Why do these require sec-approval? They only affect nightly.
Comment 12•12 years ago
|
||
(In reply to Bill McCloskey (:billm) from comment #11) > Why do these require sec-approval? They only affect nightly. Good point, apologies, I mis-spoke there - I must have confused this with another bug.
Assignee | ||
Comment 13•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/5c5e4097dd20 https://hg.mozilla.org/integration/mozilla-inbound/rev/f458467cc2cf
Comment 14•12 years ago
|
||
Backed out for make check failures: https://tbpl.mozilla.org/?tree=Mozilla-Inbound&rev=f458467cc2cf https://hg.mozilla.org/integration/mozilla-inbound/rev/6dcc0beba62c
Assignee | ||
Comment 15•12 years ago
|
||
Sorry, stupid mistake. I hadn't tested any opt builds. https://hg.mozilla.org/integration/mozilla-inbound/rev/ef966ef53b23
Assignee | ||
Comment 16•12 years ago
|
||
Also, I failed to check in the test the second time: https://hg.mozilla.org/integration/mozilla-inbound/rev/ed1c5d55d104
Assignee | ||
Comment 17•12 years ago
|
||
Backed out again in case some random orange was caused by these patches: https://hg.mozilla.org/integration/mozilla-inbound/rev/60c4b0129f99
Comment 18•12 years ago
|
||
(In reply to Bill McCloskey (:billm) from comment #17) > Backed out again in case some random orange was caused by these patches: > https://hg.mozilla.org/integration/mozilla-inbound/rev/60c4b0129f99 It didn't make a difference this time, since m-cMerge (the tool used to mark bugs after merging) intentionally doesn't deal with s-s bugs automatically; but for future occasions, please can you use a commit message like: "Backout/Back out/Backed out <changeset> (<and ideally also bug id>) reason"; since: "Bug 808067 - Back out again due to possible orange (r=orange)" ...looks like another normal landing to the tool. (Backouts also don't need the r=foo; the mercurial hook doesn't require an r= for any type of landing, just a bug number if the message doesn't start with "Back..." or "Merge..." etc). :-)
Comment 19•12 years ago
|
||
hit Assertion failure: needsBarrier_ stack JSCompartment::barrierTracer() js::ion::MarkFromIon(JSCompartment*, JS::Value*) XUL@0x244568f on Windows 7 and OSX for 2012-11-05 Nightly builds on http://thisisluckyme.com/diablo/
Comment 20•12 years ago
|
||
Tracking for FF19, and nominating for FF18 given the fact that bug 807535 will likely reland on Aurora soon.
Assignee | ||
Comment 21•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/bdd3bfd15630
Comment 22•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/bdd3bfd15630
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Assignee | ||
Comment 23•12 years ago
|
||
Comment on attachment 677890 [details] [diff] [review] fix [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 807535, which I want to land on Aurora User impact if declined: crashes Testing completed (on m-c, etc.): On m-c for a day. Risk to taking this patch (and alternatives if risky): Low, I think. The earlier backout was apparently unnecessary. String or UUID changes made by this patch: None.
Attachment #677890 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 24•12 years ago
|
||
Comment on attachment 677897 [details] [diff] [review] fix for related bug [Approval Request Comment] (See above)
Attachment #677897 -
Flags: approval-mozilla-aurora?
Updated•12 years ago
|
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Updated•12 years ago
|
Attachment #677890 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•12 years ago
|
Attachment #677897 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 25•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/f32f5bf29668
Updated•12 years ago
|
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 26•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
status-firefox17:
--- → unaffected
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main18-]
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•