Closed
Bug 1014972
Opened 10 years ago
Closed 10 years ago
Assertion failure: location == gc::ChunkLocationNursery || location == gc::ChunkLocationTenuredHeap, at dist/include/js/HeapAPI.h
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla32
Tracking | Status | |
---|---|---|
firefox31 | --- | unaffected |
firefox32 | --- | affected |
People
(Reporter: gkw, Assigned: terrence)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
2.94 KB,
text/plain
|
Details | |
1.70 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
Function("\ Array.buildPar(6947, (function() {\ return {\ a: new Function,\ b1: function() {},\ b2: function() {},\ b3: function() {},\ b4: function() {}\ }\ }));\ selectforgc(new Object);\ ")() asserts js debug shell on m-c changeset b40296602083 with --ion-eager --ion-parallel-compile=off at Assertion failure: location == gc::ChunkLocationNursery || location == gc::ChunkLocationTenuredHeap, at dist/include/js/HeapAPI.h My configure flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options> autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/a6cf64544f9b user: Terrence Cole date: Wed May 14 19:48:09 2014 -0700 summary: Bug 1010655 - Always use the faster version of IsInsideNursery when possible; r=jonco Setting s-s and sec-critical by default because this seems to be a gc issue. Terrence, is bug 1010655 a likely regressor?
Flags: needinfo?(terrence)
Assignee | ||
Comment 1•10 years ago
|
||
Nope, pre-existing bustage in some debug code that I didn't even know existed. It happened not to trip over any assertions before, somehow. This is only triggerable from the shell, not from the browser. What is our sec policy for such issues?
Assignee: nobody → terrence
Status: NEW → ASSIGNED
Attachment #8427458 -
Flags: review?(jcoppeard)
Flags: needinfo?(terrence)
Updated•10 years ago
|
Group: core-security, javascript-core-security
Keywords: sec-critical
Comment 2•10 years ago
|
||
I removed the security sensitive flag because this is just a bug in a testing function.
Comment 3•10 years ago
|
||
Comment on attachment 8427458 [details] [diff] [review] bug-1014972-v0.diff Review of attachment 8427458 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit-test/tests/gc/bug-1014972.js @@ +1,2 @@ > +Function("\ > + Array.buildPar(6947, (function() {\ This might need a configuration check for parallel JS, except I don't think the parallel stuff is actually necessary to make this go bang.
Attachment #8427458 -
Flags: review?(jcoppeard) → review+
Assignee | ||
Comment 4•10 years ago
|
||
Good catch on checking for PJS before running the code. https://hg.mozilla.org/integration/mozilla-inbound/rev/3e60960771e5
Comment 5•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/3e60960771e5
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
You need to log in
before you can comment on or make changes to this bug.
Description
•