Closed
Bug 776748
Opened 12 years ago
Closed 12 years ago
IonMonkey: "Assertion failure: refcount_,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: nbp)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker])
Attachments
(2 files, 1 obsolete file)
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
var eCount = 0;
var funs = [function () {}, function () {}];
function someElement(a) {
++eCount;
var i = (eCount >= 8) ? 1 : 0;
return a[i]
}
var recursionGuard = 0;
function recursiveThing() {
someElement(funs);
if (++recursionGuard % 2) {
e1();
}
}
function e1() {
try {} catch (e) {}
someElement(funs);
recursiveThing()
}
recursiveThing()
gc();
recursiveThing()
recursiveThing()
asserts js debug shell on IonMonkey changeset 23a84dbb258f with--ion-eager and -a at Assertion failure: refcount_,
s-s because this involves gc.
Many thanks go out to Jesse for reducing to this from being hundreds of lines long.
Reporter | ||
Comment 1•12 years ago
|
||
Attachment #645110 -
Attachment is obsolete: true
Reporter | ||
Comment 2•12 years ago
|
||
This and bug 776687 are fuzzblockers - they should be the ones that create lots of dupes.
Whiteboard: [fuzzblocker]
Reporter | ||
Comment 3•12 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 100934:8ea86b9020a2
user: Nicolas Pierron
date: Mon Jul 16 23:19:26 2012 +0200
summary: Bug 772509 - Freeze a compilation output instead of a script. r=bhackett,dvander
Blocks: 772509
Assignee | ||
Updated•12 years ago
|
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Assignee | ||
Comment 4•12 years ago
|
||
Decrement the reference counter only for script which have been incremented before. This bug should only appear when the monitored values is frozen by both a compiled JM function and a compiled Ion function. The second check is failing because the script which has been JM-compiled is also Ion-compiled and cause an additional decref to happen.
Attachment #645493 -
Flags: review?(dvander)
Comment on attachment 645493 [details] [diff] [review]
Do not invalidate the IonScript when JM is invalidated.
Review of attachment 645493 [details] [diff] [review]:
-----------------------------------------------------------------
Good catch.
Attachment #645493 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 6•12 years ago
|
||
https://hg.mozilla.org/projects/ionmonkey/rev/eef915d5a18f
I removed the security-sensitive flag because this bug is fixed before IonMonkey landing in inbound and it only affect IonMonkey.
Group: core-security
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Backed out due to tbpl failures: https://hg.mozilla.org/projects/ionmonkey/rev/41f66d0e46b3
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 8•12 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
Comment 9•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug776748.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•