Closed
Bug 1057219
Opened 10 years ago
Closed 10 years ago
Assertion failure: [barrier verifier] Unmarked edge: objectElementsOwner, at gc/Verifier.cpp:316
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla34
Tracking | Status | |
---|---|---|
firefox34 | --- | affected |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
577 bytes,
text/plain
|
Details | |
836 bytes,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision dac8b4a0bd7c (run with --no-threads --fuzzing-safe): gczeal(4,1); var N = 100; function basic(out) { for (var i = 0; i < N; i++) { var arr = [0, 1, 2, 3, 4]; arr.length = 6; } } basic();
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Marked s-s because it's gc-related.
status-firefox34:
--- → affected
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•10 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/9605a571ca8a user: Brian Hackett date: Tue Aug 19 22:25:37 2014 -0800 summary: Bug 934450 - Allow objects to have copy on write elements, r=billm,jandem. This iteration took 288.677 seconds to run.
Updated•10 years ago
|
Assignee | ||
Comment 4•10 years ago
|
||
There should be a write barrier on the owner object pointer when we copy an object's copy-on-write elements for a write. This pointer is traced through during GC so that the elements stay alive, but isn't used in any other way, so I don't think the lack of this barrier can cause any problems.
Assignee: nobody → bhackett1024
Attachment #8479302 -
Flags: review?(wmccloskey)
Flags: needinfo?(bhackett1024)
Assignee | ||
Updated•10 years ago
|
Group: core-security
Attachment #8479302 -
Flags: review?(wmccloskey) → review+
Assignee | ||
Comment 5•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9d7eb12460ce
Comment 6•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9d7eb12460ce
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Updated•10 years ago
|
Flags: qe-verify-
You need to log in
before you can comment on or make changes to this bug.
Description
•