Closed
Bug 866064
Opened 11 years ago
Closed 11 years ago
Assertion failure: absolute_ && isSet(), at ion/shared/Assembler-shared.h
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla25
People
(Reporter: gkw, Assigned: jandem)
Details
(Keywords: assertion, testcase)
Attachments
(2 files)
11.07 KB,
text/plain
|
Details | |
5.99 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
An extremely difficult to reproduce assertion is Assertion failure: absolute_ && isSet(), at ion/shared/Assembler-shared.h on a 32-bit debug deterministic threadsafe shell on Linux. I had to examine the core dump to get the stack. This was on m-c changeset 1150403342b2. There are a couple of scary-looking addresses on the stack along with Baseline functions, so assuming this to be Baseline-related.
Flags: needinfo?(jdemooij)
Comment 1•11 years ago
|
||
Is there enough information here to be useful or should this be closed incomplete? Without a testcase how is anyone going to investigate?
Updated•11 years ago
|
Flags: needinfo?(gary)
Reporter | ||
Comment 2•11 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #1) > Is there enough information here to be useful or should this be closed > incomplete? Without a testcase how is anyone going to investigate? I was actually liaising with jandem offline (and providing him with testcases/coredumps) about this on Monday. Tuesday was a holiday for where he's from, so he'll probably get to it later.
Flags: needinfo?(gary)
Assignee | ||
Comment 3•11 years ago
|
||
OK, Gary and I were able to track this down. The problem is that CodeOffsetLabel and CodeOffsetJump use the magic 0xdeadc0de value to mean "not set", see for instance: bool isSet() const { return raw_ != (uint8_t *) 0xdeadc0de; } However, 0xdeadc0de is a perfectly valid address, so if we happen to allocate a label at that address isSet() will return |false| even though the label *is* set.. In this case we had code starting at 0xdeadbf88 and a label with offset 342, and 0xdeadbf88 + 342 == 0xdeadc0de. Looking at all callers of isSet(), this is debug-only. We should fix it though to avoid rare test failures, etc.
Group: core-security
Flags: needinfo?(jdemooij)
Reporter | ||
Comment 4•11 years ago
|
||
Assigning to jandem since he knows what's going on.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Reporter | ||
Comment 5•11 years ago
|
||
jandem, any updates on this? I'm still seeing this intermittently with hard-to-reduce testcases.
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 6•11 years ago
|
||
CodeLocationLabel::raw_ and CodeLocationJump::raw_ can hold either a pointer or offset, so we can't use NULL either to mean "uninitialized". UINTPTR_MAX could work, but this patch uses an enum { Uninitialized, Absolute, Relative } instead.
Attachment #774534 -
Flags: review?(nicolas.b.pierron)
Flags: needinfo?(jdemooij)
Comment 7•11 years ago
|
||
Comment on attachment 774534 [details] [diff] [review] Patch Review of attachment 774534 [details] [diff] [review]: ----------------------------------------------------------------- Sounds good.
Attachment #774534 -
Flags: review?(nicolas.b.pierron) → review+
Assignee | ||
Comment 8•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9db984a847ee
Comment 9•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9db984a847ee
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in
before you can comment on or make changes to this bug.
Description
•