Closed Bug 844828 Opened 12 years ago Closed 12 years ago

BaselineCompiler: Assertion failure: ionScript->containsReturnAddress(returnAddr), at IonFrames.cpp:74 or Crash [@ js::ion::IonScript::getSafepointIndex]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:][js:t])

Attachments

(1 file)

Patch
1.83 KB, patch
djvj
: review+
Details | Diff | Splinter Review
The following testcase asserts on baseline compiler branch revision 8245e95ef08f (run with --ion-eager): gczeal(2); eval("\ for (var z = 0; z < 300; z++ ) {\ try { (function(eval) {\ h\ })()\ } catch(e) {}\ }\ ");
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision e00fef12e2bd).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 123130:e00fef12e2bd tag: tip parent: 122882:8245e95ef08f parent: 123129:a0a2f97ef16c user: Jan de Mooij date: Mon Feb 25 15:11:44 2013 +0100 summary: Merge from mozilla-central. Not all ancestors of this changeset have been checked. Use bisect --extend to continue the bisection from the common ancestor, 67f2a2816651. This iteration took 116.428 seconds to run. Oops! We didn't test rev a0a2f97ef16c, a parent of the blamed revision! Let's do that now. We did not test rev a0a2f97ef16c because it is not a descendant of either 8245e95ef08f or e00fef12e2bd. Rev a0a2f97ef16c: Updating... Compiling... Testing... [Uninteresting] It didn't crash. (0.254 seconds) good (not interesting) Bisect lied to us! Parent rev a0a2f97ef16c was also good! Perhaps we should expand the search to include the common ancestor of the blamed changeset's parents. The common ancestor of 8245e95ef08f and a0a2f97ef16c is 67f2a2816651. Rev 67f2a2816651: Updating... Compiling... Testing... [Uninteresting] It didn't crash. (0.263 seconds) good (not interesting) The following line is still under testing: Try setting -s to 67f2a2816651, and -e to e00fef12e2bd, and re-run autoBisect.
Whiteboard: [jsbugmon:] → [jsbugmon:][js:t]
Attached patch PatchSplinter Review
If the stack looks like this: BaselineFrame -> IonFrame, and the IonFrame throws an exception, HandleException may destroy the IonScript (see the ionScript->decref(..) call). When HandleException then reaches the baseline frame and calls UnwindScope -> ScopeIter -> evalPrevScopeChain, StackIter crashes when it tries to access the invalidated IonScript.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #718442 - Flags: review?(kvijayan)
Attachment #718442 - Flags: review?(kvijayan) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/4161ede55cb6
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: