Closed Bug 756243 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: kind == GetGCThingTraceKind(*thingp), at gc/Marking.cpp:231

Tracking

()

Status:

VERIFIED FIXED

Tracking Flags:

Tracking

Status

firefox-esr10

---

unaffected

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, sec-high, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file, 1 obsolete file)

fix 12 years ago David Anderson [:dvander] - inactive, e-mail if emergency 1.28 KB, patch		Details \| Diff \| Splinter Review
better fix 12 years ago David Anderson [:dvander] - inactive, e-mail if emergency 1.83 KB, patch	nbp : review+	Details \| Diff \| Splinter Review

Christian Holler (:decoder)

Reporter

Description

•

12 years ago

The following testcase asserts on ionmonkey revision 14735b4dbccc (run with --ion -n -m):


function enterFunc (funcName)
    funcName += "()";
var lfcode = new Array();
gczeal(2);
evaluate("test();\
function test() {\
  enterFunc ('test');\
  (new test('(a(b(c)))(d(e(f)))\\\\2\\\\5'));\
}\
");

David Anderson [:dvander] - inactive, e-mail if emergency

Assignee

Updated

•

12 years ago

Hardware: x86 → x86_64

David Anderson [:dvander] - inactive, e-mail if emergency

Assignee

Updated

•

12 years ago

Assignee: general → dvander

Status: NEW → ASSIGNED

David Anderson [:dvander] - inactive, e-mail if emergency

Assignee

Comment 1

•

12 years ago

This is some kind of horrible bug involving invalidation, gc - we're restoring a value to the interpreter stack which has been freed. Investigating.

David Anderson [:dvander] - inactive, e-mail if emergency

Assignee

Comment 2

•

12 years ago

Attached patch fix (obsolete) — Details — Splinter Review

Another simple off-by-N bug.

Attachment #624917 - Flags: review?(nicolas.b.pierron)

David Anderson [:dvander] - inactive, e-mail if emergency

Assignee

Comment 3

•

12 years ago

Attached patch better fix — Details — Splinter Review

Attachment #624917 - Attachment is obsolete: true

Attachment #624917 - Flags: review?(nicolas.b.pierron)

Attachment #624958 - Flags: review?(nicolas.b.pierron)

Nicolas B. Pierron [:nbp]

Comment 4

•

12 years ago

Comment on attachment 624958 [details] [diff] [review]
better fix

Review of attachment 624958 [details] [diff] [review]:
-----------------------------------------------------------------

Good, would be better if you can define

JSFunction *fun = maybeCalleeTokenToFunction(layout->calleeToken());

Attachment #624958 - Flags: review?(nicolas.b.pierron) → review+

David Anderson [:dvander] - inactive, e-mail if emergency

Assignee

Comment 5

•

12 years ago

http://hg.mozilla.org/projects/ionmonkey/rev/8c54899dae82

Status: ASSIGNED → RESOLVED

Closed: 12 years ago

Resolution: --- → FIXED

Christian Holler (:decoder)

Reporter

Comment 6

•

12 years ago

JSBugMon: This bug has been automatically verified fixed.

Christian Holler (:decoder)

Reporter

Updated

•

12 years ago

Status: RESOLVED → VERIFIED

Daniel Veditz [:dveditz]

Updated

•

12 years ago

Group: core-security

status-firefox-esr10: --- → unaffected

Keywords: sec-high

Christian Holler (:decoder)

Reporter

Comment 7

•

11 years ago

Early ion gc issue, in-testsuite-.

Flags: in-testsuite-

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

IonMonkey: Assertion failure: kind == GetGCThingTraceKind(*thingp), at gc/Marking.cpp:231

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, sec-high, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Security

(public)

User Story

Attachments

(1 file, 1 obsolete file)

Description

Updated

Updated

Comment 1

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6

Updated

Updated

Comment 7

Attachment

General

Description

File Name

Content Type