875777 - Assertion failure: !(addr & ArenaMask), at gc/Heap.h:843 or Crash [@ GetGCThingMarkBitmap]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

Attachment: Testcase for shell

The attached testcase asserts on mozilla-central revision df526497d949 (run with --ion-eager).

Comment 1

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 2

[Christian Holler (:decoder)]

Opt crash trace:

Program received signal SIGSEGV, Segmentation fault.
0x080d868f in GetGCThingMarkBitmap (thing=0xffffff85) at /usr/include/bits/string3.h:85
85        return __builtin___memset_chk (__dest, __ch, __len, __bos0 (__dest));
#0  0x080d868f in GetGCThingMarkBitmap (thing=0xffffff85) at /usr/include/bits/string3.h:85
#1  GetGCThingMarkWordAndMask (thing=0xffffff85, maskp=<synthetic pointer>, wordp=<optimized out>, color=0) at ./dist/include/js/HeapAPI.h:111
#2  getMarkWordAndMask (wordp=<optimized out>, color=0, cell=0xffffff85, maskp=<synthetic pointer>, this=<optimized out>) at js/src/gc/Heap.h:680
#3  arenaBits (aheader=0xffffff85, this=<optimized out>) at js/src/gc/Heap.h:727
#4  unmarkAll (this=0x908096c) at js/src/jsgc.h:360
#5  BeginMarkPhase (rt=0x9022ea0) at js/src/jsgc.cpp:2801
#6  IncrementalCollectSlice (rt=0x9022ea0, budget=<optimized out>, reason=JS::gcreason::LAST_CONTEXT, gckind=js::GC_NORMAL) at js/src/jsgc.cpp:4237
#7  0x080da9ed in GCCycle (rt=0x9022ea0, incremental=<optimized out>, budget=0, gckind=js::GC_NORMAL, reason=JS::gcreason::LAST_CONTEXT) at js/src/jsgc.cpp:4415
edi     0xac    172
=> 0x80d868f <IncrementalCollectSlice(JSRuntime*, int64_t, JS::gcreason::Reason, js::JSGCInvocationKind)+2143>: rep stos %eax,%es:(%edi)


S-s due to GC hazard.

Comment 3

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 4

[Christian Holler (:decoder)]

Comment on attachment 753795 [details]
[crash-signature] Machine-readable crash signature

Wrong signature for this bug.

Comment 5

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   132612:b2216a10f95b
user:        Shu-yu Guo
date:        Tue May 21 23:52:45 2013 -0700
summary:     Bug 867471 - Part 2: Compile rest parameter in Ion for sequential execution. (r=djvj)

This iteration took 328.595 seconds to run.

Comment 6

[Shu-yu Guo [:shu]]

I can't reproduce this on my machine, but it's likely a duplicate of 875748

Comment 7

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 0fed3377c839).

Comment 8

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 0fed3377c839).
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   132895:e1bca8b56470
user:        Jan de Mooij
date:        Fri May 24 14:03:31 2013 +0200
summary:     Bug 868431 - Disable Ion when Baseline is disabled, remove bailout-to-interpreter code. r=djvj

This iteration took 324.962 seconds to run.

Comment 9

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Strange bisection result. Nonetheless, assuming fixed by bug 875748 as per comment 6.

Comment 10

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.

Comment 11

[Paul Silaghi, QA [:pauly]]

Based on comment 10