Closed
Bug 917733
Opened 11 years ago
Closed 11 years ago
Assertion failure: !aheader->hasFreeThings(), at js/src/jsgc.h:531 or Crash [@ js::ObjectImpl::readBarrier]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 901389
Tracking | Status | |
---|---|---|
firefox24 | --- | unaffected |
firefox25 | - | affected |
firefox26 | - | ? |
firefox27 | --- | unaffected |
People
(Reporter: decoder, Unassigned)
References
Details
(5 keywords, Whiteboard: [jsbugmon:])
Crash Data
The following testcase asserts on mozilla-beta revision adb9fbeec38d (threadsafe build, run with --ion-eager): function foo() bar(1,2,3,4,5,6,7,8,9); function bar(... Number) foo(); foo();
Reporter | ||
Comment 1•11 years ago
|
||
This affects mozilla-beta only, here's the crash trace (actually the crash triggers when using --ion-eager and the assertion pops up if I add --fuzzing-safe): Program received signal SIGSEGV, Segmentation fault. js::ObjectImpl::readBarrier (obj=0x7ffff694d060) at ../../vm/ObjectImpl-inl.h:173 173 if (zone->needsBarrier()) { #0 js::ObjectImpl::readBarrier (obj=0x7ffff694d060) at ../../vm/ObjectImpl-inl.h:173 #1 0x0000000000415851 in get (this=<optimized out>) at ../../gc/Barrier.h:631 #2 operator js::GlobalObject* (this=<optimized out>) at ../../gc/Barrier.h:635 #3 maybeGlobal (this=<optimized out>) at ../../jscompartmentinlines.h:25 #4 JSObject::global (this=<optimized out>) at ../../jsobjinlines.h:771 #5 0x00000000006e0f27 in js_GetClassObject (cxArg=0x18e6890, obj=<optimized out>, key=JSProto_InternalError, objp=0x0) at js/src/jsobj.cpp:3080 #6 0x00000000006e4700 in js_FindClassObject (cx=0x18e6890, protoKey=JSProto_InternalError, vp=JSVAL_VOID, clasp=<optimized out>) at js/src/jsobj.cpp:3151 #7 0x00000000006ea432 in js_GetClassPrototype (cx=0x18e6890, protoKey=<optimized out>, protop=0x0, clasp=0x0) at js/src/jsobj.cpp:5128 rax 0x7 -2111062325329913 rip 0x41550c <js::ObjectImpl::readBarrier(js::ObjectImpl*)+76> => 0x41550c <js::ObjectImpl::readBarrier(js::ObjectImpl*)+76>: cmpb $0x0,(%rax) 0x41550f <js::ObjectImpl::readBarrier(js::ObjectImpl*)+79>: je 0x415549 <js::ObjectImpl::readBarrier(js::ObjectImpl*)+137> I'm marking this s-s because the assertion involves GC and the test switches between assertion and crash by adding --fuzzing-safe, which doesn't really sound well to me.
Crash Signature: [@ js::ObjectImpl::readBarrier]
status-firefox25:
--- → affected
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Version: Trunk → 25 Branch
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Reporter | ||
Comment 2•11 years ago
|
||
JSBugMon: Cannot process bug: Error: Unsupported branch "25 Branch" required by bug
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Reporter | ||
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, failed due to error: Error: Unsupported branch "25 Branch" required by bug
Reporter | ||
Comment 5•11 years ago
|
||
I'm seeing multiple GC crash signatures on mozilla-beta. Can we get a fix for this so we can rule out that there are more problems on beta?
Comment 6•11 years ago
|
||
Akeybl: this is a security vulnerability that regressed sometime between when this was on Mozilla central and the Beta uplift. We should get this fixed before release.
status-firefox24:
--- → unaffected
status-firefox26:
--- → ?
status-firefox27:
--- → unaffected
tracking-firefox25:
--- → +
Keywords: regression
Comment 7•11 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 80fe42f29748 user: Shu-yu Guo date: Fri Aug 02 08:24:57 2013 -0700 summary: Bug 898746 - Type rest argument arrays as dense arrays with unknown element type. (r=bhackett) Does https://hg.mozilla.org/releases/mozilla-beta/rev/80fe42f29748 or bug 898746 seem possible?
Blocks: 898746
Updated•11 years ago
|
Flags: needinfo?(shu)
Comment 8•11 years ago
|
||
Any idea what the first good cset is on central after 80fe42f29748?
Flags: needinfo?(shu)
Comment 9•11 years ago
|
||
This was fixed by 901389, which looks like it missed the uplift. Marking duplicate and asking for a? on that bug.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Comment 10•11 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/c70720eea645 user: Shu-yu Guo date: Tue Aug 06 18:15:53 2013 -0700 summary: Bug 901389 - Pass length correctly in creating rest argument template objects in Ion. (r=bhackett) Yep, that's right.
Updated•11 years ago
|
tracking-firefox26:
--- → -
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•