Closed Bug 744285 Opened 12 years ago Closed 12 years ago

Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(*thingp)), at jsgc.cpp:4278

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla14

People

(Reporter: decoder, Assigned: billm)

References

Details

(Keywords: assertion, testcase, Whiteboard: js-triage-needed)

Attachments

(2 files)

Test case for shell (run with -n -m -a)
2.12 KB, application/javascript
Details
patch
5.47 KB, patch
igor
: review+
Details | Diff | Splinter Review 
The attached test asserts on mozilla-central revision 3fa30b0edd15 (options -m -a -n).

Marking s-s because this assertion is GC-related.

Billm: Is this a dup of bug 740509 or some other issue?
Attached patch patchSplinter Review 
This is a regression from bug 739899. When doing conservative stack scanning, I checked the gcRunning flag to see if we should reject things in other compartments. However, this flag is set by AutoHeapSession (i.e., but pretty much anyone who will use the conservative scanner). We really need to be checking IS_GC_MARKING_TRACER.

This doesn't affect the GC or CC, so I don't think it's sensitive.
Attachment #614174 - Flags: review?
Group: core-security
Attachment #614174 - Flags: review? → review?(igor)
Comment on attachment 614174 [details] [diff] [review]
patch

Review of attachment 614174 [details] [diff] [review]:
-----------------------------------------------------------------

The test is really nice!
Attachment #614174 - Flags: review?(igor) → review+
https://hg.mozilla.org/mozilla-central/rev/ca36c6b332d8
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug744285.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: