Closed Bug 727921 Opened 12 years ago Closed 12 years ago

"Assertion failure: (ptrBits & 0x7) == 0,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla13
Tracking Flags:
Tracking Status
firefox12 --- unaffected
firefox13 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: gkw, Assigned: billm)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical] js-triage-needed [advisory-tracking+])

Attachments

(1 file)

stack
7.29 KB, text/plain
Details
Attached file stack 
(function() {
    let(d) {
        yield
    }
})()
eval("\
    (function(){\
        schedulegc(5), 'a'.replace(/a/,function(){yield})\
    })\
")()

asserts js debug shell on m-c changeset ebafee0cea36 with -m, -a and -n at Assertion failure: (ptrBits & 0x7) == 0,

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   86695:fbef6a165cf8
user:        Bill McCloskey
date:        Fri Feb 10 18:32:08 2012 -0800
summary:     Bug 723313 - Stop using conservative stack scanner for VM stack marking (r=luke,bhackett)
Group: core-security
Assuming sg:critical and s-s initially after a quick look by billm and I.
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed
Erm, I updated to tip and this seems gone, probably fixed by bug 714109:

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   86735:f29587aa8965
user:        Terrence Cole
date:        Mon Feb 13 10:01:18 2012 -0800
summary:     Bug 714109 - Add missing barriers to Generator; r=billm
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
I'm going to re-open this, at least until I can triage it. Bug 714109 wasn't intended to fix existing bugs in the tree, so it's more likely that it's just covering up the problem.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
OK, it turns out I was wrong. That patch actually does fix the problem. I pushed a test case here:
  https://hg.mozilla.org/integration/mozilla-inbound/rev/4079180d600c
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
>   https://hg.mozilla.org/integration/mozilla-inbound/rev/4079180d600c

Setting in-testsuite+
Flags: in-testsuite? → in-testsuite+
(Normally bugs aren't closed until the cset merges from inbound)

https://hg.mozilla.org/mozilla-central/rev/4079180d600c
Followup: https://hg.mozilla.org/mozilla-central/rev/d16c61316cf4
Assignee: general → wmccloskey
Target Milestone: --- → mozilla13
Group: core-security
status-firefox-esr10: --- → unaffected
status-firefox12: --- → unaffected
Test committed with fix, marking verified based on that.
Status: RESOLVED → VERIFIED
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-needed [advisory-tracking+]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: