Closed
Bug 1137224
Opened 9 years ago
Closed 9 years ago
Assertion failure: arenaHeader()->allocated(), at js/src/gc/Heap.h:1276 or Crash [@ js::CurrentThreadCanAccessZone]
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1136597
| Tracking | Status | |
|---|---|---|
| firefox39 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Crash Data
The following testcase crashes on mozilla-central revision dd6353d61993 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-debug, run with --fuzzing-safe --thread-count=2):
var evalInFrame = (function (global) {
var dbgGlobal = newGlobal();
var dbg = new dbgGlobal.Debugger();
return function evalInFrame(upCount, code) {
dbg.addDebuggee(global);
};
})(this);
var gTestcases = new Array();
var gTc = gTestcases.length;
function TestCase()
gTestcases[gTc++] = this;
function checkCollation(extensionCoValue, usageValue) {
var collator = new Intl.Collator(["de-DE"]);
collator.resolvedOptions().collation;
}
checkCollation(undefined, "sort");
checkCollation();
for ( addpow = 0; addpow < 33; addpow++ ) {
new TestCase();
}
evalInFrame(0, "i(true)", true);
gc(3, 'shrinking')
eval("gc(); h = g1");
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x081e7bb4 in js::gc::TenuredCell::isMarked (color=<optimized out>, this=<optimized out>) at js/src/gc/Heap.h:1276
1276 MOZ_ASSERT(arenaHeader()->allocated());
#0 0x081e7bb4 in js::gc::TenuredCell::isMarked (color=<optimized out>, this=<optimized out>) at js/src/gc/Heap.h:1276
#1 0x081949ef in js::gc::TenuredCell::isMarked (this=this@entry=0xf6044040, color=1) at js/src/gc/Heap.h:1279
#2 0x0819661b in ShouldMarkCrossCompartment (trc=0x9674a28, src=<optimized out>, cell=0xf6044040) at js/src/gc/Marking.cpp:959
#3 0x081ad8ad in MarkObjectUnbarriered (name=<optimized out>, thingp=<optimized out>, trc=<optimized out>) at js/src/gc/Marking.cpp:599
#4 js::gc::MarkCrossCompartmentObjectUnbarriered (trc=0x9674a28, src=(JSObject *) 0xf6066c00 [object Object], dst=0xffffabbc, name=0x8989c25 "Debugger.Object referent") at js/src/gc/Marking.cpp:983
#5 0x082070f6 in DebuggerObject_trace (trc=trc@entry=0x9674a28, obj=obj@entry=(JSObject *) 0xf6066c00 [object Object]) at js/src/vm/Debugger.cpp:6234
#6 0x081f1ac2 in js::GCMarker::processMarkStackTop (this=this@entry=0x9674a28, budget=...) at js/src/gc/Marking.cpp:1836
#7 0x081b14b4 in js::GCMarker::drainMarkStack (this=0x9674a28, budget=...) at js/src/gc/Marking.cpp:1899
#8 0x0878008a in js::gc::GCRuntime::markWeakReferences<js::CompartmentsIterT<js::gc::GCZoneGroupIter> > (this=this@entry=0x966cd40, phase=phase@entry=js::gcstats::PHASE_SWEEP_MARK_WEAK) at js/src/jsgc.cpp:4113
#9 0x0870904f in markWeakReferencesInCurrentGroup (phase=js::gcstats::PHASE_SWEEP_MARK_WEAK, this=0x966cd40) at js/src/jsgc.cpp:4121
#10 js::gc::GCRuntime::endMarkingZoneGroup (this=this@entry=0x966cd40) at js/src/jsgc.cpp:4825
#11 0x08716239 in js::gc::GCRuntime::beginSweepPhase (this=this@entry=0x966cd40, lastGC=lastGC@entry=false) at js/src/jsgc.cpp:5182
#12 0x0871b7c7 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x966cd40, budget=..., reason=reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:5915
#13 0x0871c23d in js::gc::GCRuntime::gcCycle (this=this@entry=0x966cd40, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:6104
#14 0x0871c51d in js::gc::GCRuntime::collect (this=this@entry=0x966cd40, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:6216
#15 0x08745275 in gc (reason=JS::gcreason::API, gckind=GC_NORMAL, this=0x966cd40) at js/src/jsgc.cpp:6277
#16 JS::GCForReason (rt=0x966cba0, gckind=GC_NORMAL, reason=JS::gcreason::API) at js/src/jsgc.cpp:7077
#17 0x080dcac9 in GC (cx=0x9685ab0, argc=0, vp=0x97167e0) at js/src/builtin/TestingFunctions.cpp:244
#18 0x0826f136 in js::CallJSNative (cx=0x9685ab0, native=0x80dca30 <GC(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:226
#19 0x0824a494 in js::Invoke (cx=0x9685ab0, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#20 0x08240259 in Interpret (cx=0x9685ab0, state=...) at js/src/vm/Interpreter.cpp:2601
#21 0x08249c06 in js::RunScript (cx=cx@entry=0x9685ab0, state=...) at js/src/vm/Interpreter.cpp:448
#22 0x08249d7f in js::ExecuteKernel (cx=0x9685ab0, script=0xf6078a60, scopeChainArg=(JSObject &) @0xf60818b0 [object global] delegate, thisv=..., type=js::EXECUTE_DIRECT_EVAL, evalInFrame=..., result=0xffffc0d0) at js/src/vm/Interpreter.cpp:654
#23 0x081339ce in EvalKernel (cx=cx@entry=0x9685ab0, args=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., scopeobj=(JSObject * const) 0xf60818b0 [object global] delegate, pc=0x97285e6 "{") at js/src/builtin/Eval.cpp:348
#24 0x081341b6 in js::DirectEval (cx=0x9685ab0, args=...) at js/src/builtin/Eval.cpp:489
#25 0x08457d98 in js::jit::DoCallFallback (cx=0x9685ab0, frame=0xffffc110, stub_=0x977c640, argc=1, vp=0xffffc0d0, res=$jsval(-nan(0xfff8200000000))) at js/src/jit/BaselineIC.cpp:9562
#26 0xf7607adc in ?? ()
#27 0x0977c640 in ?? ()
#28 0xf7603c25 in ?? ()
#29 0x083eec4d in EnterBaseline (cx=0xf766de6e, cx@entry=0x9685ab0, data=...) at js/src/jit/BaselineJIT.cpp:123
#30 0x083ef07e in js::jit::EnterBaselineAtBranch (cx=0x9685ab0, fp=0x9716728, pc=0x97285aa "ず") at js/src/jit/BaselineJIT.cpp:210
#31 0x08249957 in Interpret (cx=0x9685ab0, state=...) at js/src/vm/Interpreter.cpp:1737
#32 0x08249c06 in js::RunScript (cx=cx@entry=0x9685ab0, state=...) at js/src/vm/Interpreter.cpp:448
#33 0x08249d7f in js::ExecuteKernel (cx=cx@entry=0x9685ab0, script=0xf60480d0, scopeChainArg=(JSObject &) @0xf6044040 Cannot access memory at address 0x49494949, thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:654
#34 0x0824a1e9 in js::Execute (cx=0x9685ab0, script=0xf60480d0, scopeChainArg=(JSObject &) @0xf6044040 Cannot access memory at address 0x49494949, rval=0x0) at js/src/vm/Interpreter.cpp:691
#35 0x086a0a5a in ExecuteScript (cx=0x9685ab0, obj=..., scriptArg=0xf60480d0, rval=0x0) at js/src/jsapi.cpp:3994
#36 0x0805f5d5 in RunFile (compileOnly=false, file=0x9727018, filename=0xffffd098 "min.js", obj=..., cx=0x9685ab0) at js/src/shell/js.cpp:466
#37 Process (cx=cx@entry=0x9685ab0, obj_=<optimized out>, filename=0xffffd098 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:599
#38 0x0806cfa0 in ProcessArgs (op=0xffffcce8, obj_=<optimized out>, cx=0x9685ab0) at js/src/shell/js.cpp:5792
#39 Shell (op=0xffffcce8, cx=0x9685ab0, envp=<optimized out>) at js/src/shell/js.cpp:6055
#40 main (argc=4, argv=0xffffceb4, envp=0xffffcec8) at js/src/shell/js.cpp:6397
eax 0x0 0
ebx 0x9659ff4 157655028
ecx 0xf7e608ac -135919444
edx 0x0 0
esi 0xf6044040 -167493568
edi 0x0 0
ebp 0xffffaae8 4294945512
esp 0xffffaad0 4294945488
eip 0x81e7bb4 <js::gc::TenuredCell::isMarked(unsigned int) const+42>
=> 0x81e7bb4 <js::gc::TenuredCell::isMarked(unsigned int) const+42>: movl $0x4fc,0x0
0x81e7bbe <js::gc::TenuredCell::isMarked(unsigned int) const+52>: call 0x804aa70 <abort@plt>
|
||
Updated•9 years ago
|
Component: JavaScript Engine → JavaScript: GC
|
Reporter | |
Updated•9 years ago
|
status-firefox38:
affected → ---
status-firefox39:
--- → affected
|
||
Comment 1•9 years ago
|
||
I verified that this is the same issue as bug 1136597.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•