Closed Bug 817365 Opened 12 years ago Closed 12 years ago

"Assertion failure: slot < numFixedSlots(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 817002
Tracking Flags:
Tracking Status
firefox20 --- affected

People

(Reporter: gkw, Unassigned)

Details

(Keywords: assertion, regression, testcase)

Attachments

(1 file)

partially reduced testcase
11.59 KB, text/plain
Details 
+++ This bug was initially created as a clone of Bug #817002 +++

The attached testcase asserts js debug shell on m-c changeset abb39d1df815 without any CLI arguments at Assertion failure: slot < numFixedSlots(),

https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012-11-30-mozilla-central-debug/jsshell-mac64.zip

Happens everytime. s-s because gc is on the stack.


Stack:

Assertion failure: slot < numFixedSlots(), at ../../../js/src/vm/ObjectImpl.h:1243

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x000000010016540f in js::ArrayBufferObject::obj_trace ()
(gdb) bt
#0  0x000000010016540f in js::ArrayBufferObject::obj_trace ()
#1  0x0000000100208e8c in js::ObjectImpl::markChildren ()
#2  0x0000000100099623 in IncrementalCollectSlice ()
#3  0x0000000100098cfe in GCCycle ()
#4  0x0000000100097e1c in Collect ()
#5  0x00000001000654d6 in js::DestroyContext ()
#6  0x0000000100002ecf in main ()
(gdb)
I really think this is bug 817002, so duping. Please undupe if it's incorrect.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: