IonMonkey: Assertion failure: [barrier verifier] Unmarked edge: shape, at jsgc.cpp:5428

RESOLVED DUPLICATE of bug 811058

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 811058
5 years ago
3 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Trunk
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox19 affected, firefox20 affected)

Details

(Whiteboard: [jsbugmon:])

(Reporter)

Description

5 years ago
The following testcase asserts on mozilla-central revision 1489b6c2d1d2 (run with --ion-eager):


gcPreserveCode();
-((new Date(2000, 1, 1)).getTimezoneOffset())
try {
  (testSlowArrayPopMultiFrame(), 23);
} catch(e) {
  gczeal(4)
}
function generate_big_object_graph() {
    var root = {};
    f(root, 17);
    function f(parent, depth) {
      if (depth == 0)
        return;
      --depth;
      f(parent.a = {}, depth);
      f(parent.b = ({ writable : 1, a : '', subString:"Mozilla"} ), depth);
    }
}
Date.now();
gc();
generate_big_object_graph();
(Reporter)

Updated

5 years ago
Blocks: 724444
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Comment 1

5 years ago
The first bad revision is:
changeset:   113229:6ba78023b367
user:        Brian Hackett
date:        Wed Nov 14 06:46:31 2012 -0800
summary:     Eagerly generate a single copy of Ion stubs and wrappers, bug 786146. r=dvander
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
status-firefox19: --- → affected
status-firefox20: --- → affected
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
(Reporter)

Comment 2

5 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 6c23f41b0747).
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
(Reporter)

Comment 3

5 years ago
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   114195:532d0832c09d
parent:      114137:1489b6c2d1d2
parent:      114194:a5002d796673
user:        Ed Morley
date:        Tue Nov 27 14:14:01 2012 +0000
summary:     Merge last PGO-green changeset of mozilla-inbound to mozilla-central

Not all ancestors of this changeset have been checked.
Use bisect --extend to continue the bisection from
the common ancestor, 072afb032cce.

This iteration took 72.571 seconds to run.

Oops! We didn't test rev a5002d796673, a parent of the blamed revision! Let's do that now.
We did not test rev a5002d796673 because it is not a descendant of either 1489b6c2d1d2 or 85471409cbfb.
Rev a5002d796673: Updating... Compiling... Testing... ['--timeout=10']
0
[Uninteresting] It didn't crash. (2.486 seconds)
good (not interesting) 
Bisect lied to us! Parent rev a5002d796673 was also good!

Perhaps we should expand the search to include the common ancestor of the blamed changeset's parents.
The common ancestor of 1489b6c2d1d2 and a5002d796673 is 072afb032cce.
Rev 072afb032cce: Updating... Compiling... Testing... ['--timeout=10']
-11
Exit status: CRASHED signal 11 (SIGSEGV) (0.128 seconds)
bad (interesting) 
The following line is still under testing:
Try setting -s to 072afb032cce, and -e to 85471409cbfb, and re-run autoBisect.
(Reporter)

Comment 4

5 years ago
I suspect this was a dup of bug 815652. Bill, do you agree?
Flags: needinfo?(wmccloskey)
(In reply to Christian Holler (:decoder) from comment #4)
> I suspect this was a dup of bug 815652. Bill, do you agree?

No, but it is a dupe of bug 811058 :-).
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: needinfo?(wmccloskey)
Resolution: --- → DUPLICATE
Duplicate of bug: 811058
Group: core-security
You need to log in before you can comment on or make changes to this bug.