Closed
Bug 888470
Opened 12 years ago
Closed 12 years ago
Assertion failure: target, at ion/x64/Assembler-x64.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla25
| Tracking | Status | |
|---|---|---|
| firefox23 | --- | unaffected |
| firefox24 | --- | unaffected |
| firefox25 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: gkw, Assigned: shu)
References
Details
(4 keywords)
Attachments
(3 files)
The upcoming testcase asserts 64-bit threadsafe js debug shell on m-c changeset 942686767e5e with -baseline-eager --ion-parallel-compile=on at Assertion failure: target, at ion/x64/Assembler-x64.cpp
Setting s-s just-in-case, as I don't fully understand this yet, and js::ion::Assembler::addPendingJump being on the stack makes me nervous.
The testcase is fairly intermittent, but I'll see if I can get a bisection range.
|
Reporter | |
Comment 1•12 years ago
|
||
This contains full jsfunfuzz code with a set seed.
|
|
Reporter | |
Comment 2•12 years ago
|
||
> changeset 942686767e5e with -baseline-eager --ion-parallel-compile=on at
I meant with --baseline-eager --ion-parallel-compile=on.
|
|
Reporter | |
Comment 3•12 years ago
|
||
Due to skipped revisions, the first bad revision could be any of:
changeset: http://hg.mozilla.org/mozilla-central/rev/743204c6b245
user: Shu-yu Guo
date: Thu Jun 27 14:47:44 2013 -0700
summary: Bug 877893 - Part 1: Convert string VM functions needed for concatenation to take ThreadSafeContext. (r=billm)
changeset: http://hg.mozilla.org/mozilla-central/rev/d6b9e08626e4
user: Shu-yu Guo
date: Thu Jun 27 14:47:44 2013 -0700
summary: Bug 877893 - Part 2: Support string concat in parallel in Ion. (r=djvj)
Shu-yu, is bug 877893 a likely regressor?
Blocks: 877893
|
|
Reporter | |
Updated•12 years ago
|
Flags: needinfo?(shu)
|
Assignee | |
Comment 4•12 years ago
|
||
I can't reproduce this; it looks like somehow when off-thread compiling the string concat stub is NULL?
Flags: needinfo?(shu)
|
|
Reporter | |
Comment 5•12 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #4)
> I can't reproduce this; it looks like somehow when off-thread compiling the
> string concat stub is NULL?
Try running this multiple times, with at least the following flags:
--enable-threadsafe --enable-debug --enable-optimize
and the following runtime flags:
--baseline-eager --ion-parallel-compile=on
It is also intermittent for me.
|
|
Assignee | |
Comment 6•12 years ago
|
||
I've left it in a forever loop for a while now.
|
|
Assignee | |
Comment 7•12 years ago
|
||
Is there a machine I can ssh into where this does reproduce?
|
|
Reporter | |
Comment 8•12 years ago
|
||
Shu-yu has mentioned over IRC that he has been able to reproduce on his machine.
|
|
Assignee | |
Comment 9•12 years ago
|
||
Forgot to sweep the parallelStringConcat_ stub if not marked.
Assignee: general → shu
Attachment #769312 -
Flags: review?(kvijayan)
|
||
Updated•12 years ago
|
Attachment #769312 -
Flags: review?(kvijayan) → review+
|
|
Assignee | |
Comment 12•12 years ago
|
||
|
||
Comment 13•12 years ago
|
||
This can lead to arbitrary code execution.
Keywords: sec-high → sec-critical
|
||
Comment 14•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox25:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
|
||
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox23:
--- → unaffected
status-firefox24:
--- → unaffected
status-firefox-esr17:
--- → unaffected
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•