Closed Bug 815727 Opened 7 years ago Closed 7 years ago

IonMonkey: Assertion failure: [barrier verifier] Unmarked edge: shape, at jsgc.cpp:5428

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 811058
Tracking Status
firefox19 --- affected
firefox20 --- affected

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:])

The following testcase asserts on mozilla-central revision 1489b6c2d1d2 (run with --ion-eager):


gcPreserveCode();
-((new Date(2000, 1, 1)).getTimezoneOffset())
try {
  (testSlowArrayPopMultiFrame(), 23);
} catch(e) {
  gczeal(4)
}
function generate_big_object_graph() {
    var root = {};
    f(root, 17);
    function f(parent, depth) {
      if (depth == 0)
        return;
      --depth;
      f(parent.a = {}, depth);
      f(parent.b = ({ writable : 1, a : '', subString:"Mozilla"} ), depth);
    }
}
Date.now();
gc();
generate_big_object_graph();
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
The first bad revision is:
changeset:   113229:6ba78023b367
user:        Brian Hackett
date:        Wed Nov 14 06:46:31 2012 -0800
summary:     Eagerly generate a single copy of Ion stubs and wrappers, bug 786146. r=dvander
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 6c23f41b0747).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   114195:532d0832c09d
parent:      114137:1489b6c2d1d2
parent:      114194:a5002d796673
user:        Ed Morley
date:        Tue Nov 27 14:14:01 2012 +0000
summary:     Merge last PGO-green changeset of mozilla-inbound to mozilla-central

Not all ancestors of this changeset have been checked.
Use bisect --extend to continue the bisection from
the common ancestor, 072afb032cce.

This iteration took 72.571 seconds to run.

Oops! We didn't test rev a5002d796673, a parent of the blamed revision! Let's do that now.
We did not test rev a5002d796673 because it is not a descendant of either 1489b6c2d1d2 or 85471409cbfb.
Rev a5002d796673: Updating... Compiling... Testing... ['--timeout=10']
0
[Uninteresting] It didn't crash. (2.486 seconds)
good (not interesting) 
Bisect lied to us! Parent rev a5002d796673 was also good!

Perhaps we should expand the search to include the common ancestor of the blamed changeset's parents.
The common ancestor of 1489b6c2d1d2 and a5002d796673 is 072afb032cce.
Rev 072afb032cce: Updating... Compiling... Testing... ['--timeout=10']
-11
Exit status: CRASHED signal 11 (SIGSEGV) (0.128 seconds)
bad (interesting) 
The following line is still under testing:
Try setting -s to 072afb032cce, and -e to 85471409cbfb, and re-run autoBisect.
I suspect this was a dup of bug 815652. Bill, do you agree?
Flags: needinfo?(wmccloskey)
(In reply to Christian Holler (:decoder) from comment #4)
> I suspect this was a dup of bug 815652. Bill, do you agree?

No, but it is a dupe of bug 811058 :-).
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(wmccloskey)
Resolution: --- → DUPLICATE
Duplicate of bug: 811058
Group: core-security
You need to log in before you can comment on or make changes to this bug.