Closed Bug 1298842 Opened 8 years ago Closed 8 years ago

Assertion failure: getSlotRef(THROWTYPEERROR).isUndefined(), at js/src/vm/GlobalObject.h:153

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect

Tracking

()

RESOLVED DUPLICATE of bug 1219128
Tracking Status
firefox51 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 4f72b1d05267 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

x = evalcx("lazy");
oomTest((function() {
    evalcx("({", x);
}))


Backtrace:

0   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x000000010f8b56ce CreateFunctionPrototype(JSContext*, JSProtoKey) + 2222 (GlobalObject.h:153)
1   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x000000010fa84a59 js::GlobalObject::resolveConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) + 729 (RootingAPI.h:717)
2   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x000000010fa84774 js::GlobalObject::ensureConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) + 52 (GlobalObject.cpp:124)
3   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x000000010fc8b094 CreateObjectConstructor(JSContext*, JSProtoKey) + 116 (Object.cpp:1152)
4   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x000000010fa84b32 js::GlobalObject::resolveConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) + 946 (RootingAPI.h:700)
5   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x000000010fa84774 js::GlobalObject::ensureConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) + 52 (GlobalObject.cpp:124)
/snip

For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/69ea294ab4b6
user:        Jon Coppeard
date:        Mon May 16 14:23:09 2016 +0100
summary:     Bug 1272604 - Add a zeal mode to check the heap after a moving GC r=terrence

Setting needinfo? in case bug 1272604 is related.
Blocks: 1272604
Flags: needinfo?(jcoppeard)
Oops, this is likely a dupe of bug 1276382 which is a dupe of bug 1219128.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
Severity: critical → S4
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: