Closed
Bug 1024567
Opened 10 years ago
Closed 10 years ago
Assertion failure: !js::gc::IsInsideNursery(this), at jsobj.h:684
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla33
Tracking | Status | |
---|---|---|
firefox33 | --- | affected |
People
(Reporter: decoder, Assigned: lth)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,ignore])
Attachments
(2 files)
450 bytes,
text/plain
|
Details | |
5.78 KB,
patch
|
shu
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 9e8e3e903484 (threadsafe build, run with --fuzzing-safe): test([0], "map", function (... Object) { for (var i = 0; function() {} ^ this ; i++) {} }); function test(arr, op, func) { for (var i = 0; i < 1000; i++) arr[op + "Par"].apply(arr, [func, undefined]); }
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Marked s-s because this is GC-related.
status-firefox33:
--- → affected
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•10 years ago
|
||
JSBugMon: Bisection requested, result: === Tinderbox Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20140609215111" and the hash "a98e6f80344c". The "bad" changeset has the timestamp "20140609220510" and the hash "573458d10426". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a98e6f80344c&tochange=573458d10426
Reporter | ||
Comment 4•10 years ago
|
||
Needinfo from Lars based on bisection in comment 3.
Flags: needinfo?(lhansen)
Assignee | ||
Comment 5•10 years ago
|
||
Seems probable that this could be the same underlying cause as bug 1024756, since this test case uses rest arguments and those were affected by the fix to that bug.
Flags: needinfo?(lhansen)
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 6•10 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 48eee276b1ee).
Assignee | ||
Comment 7•10 years ago
|
||
Reproduces easily here (Linux64 again) with --fuzzing-safe in rev 9e8e3e903484, debug no-optimize build. The problem is that the assert is not valid with the new PJS GC. It was valid before, when PJS allocated directly into the tenured area. The problem is present in the latest code, according to dxr. Whether it is reproducible probably depends somewhat on GC timing, though for this test case I fail to see how it could not reproduce. It is reproducible in revision 48eee2 locally (reproduces on every attempt). This is not a security bug, just a stale assertion - the code is correct, from what I can tell. :decoder or somebody with privileges, please clear the security flag.
Assignee: nobody → lhansen
Status: NEW → ASSIGNED
Assignee | ||
Comment 8•10 years ago
|
||
Also reproduces immediately on Linux64 debug no-optimize build with --fuzzing-safe in current mozilla-inbound tip (rev d591d9ed638b).
Assignee | ||
Comment 9•10 years ago
|
||
Also reproduces without --fuzzing-safe, thankfully (I'd have no way of explaining it if that were not the case).
Comment 10•10 years ago
|
||
(In reply to Lars T Hansen [:lth] from comment #7) > :decoder or somebody with privileges, please clear the security flag. Done.
Group: core-security
Assignee | ||
Comment 11•10 years ago
|
||
Small changes + test case. A little extra churn because I had to move a function from jsobj.h to jsobjinlines.h. Ongoing try run off mozilla-inbound: https://tbpl.mozilla.org/?tree=Try&rev=26873d31d968
Attachment #8440565 -
Flags: review?(shu)
Comment 12•10 years ago
|
||
Comment on attachment 8440565 [details] [diff] [review] Patch, with test case Review of attachment 8440565 [details] [diff] [review]: ----------------------------------------------------------------- I'm lukewarm on the patch, but since it's just a DEBUG assert fix, r=me. ::: js/src/jsgc.h @@ +1293,5 @@ > +// This tests whether something is inside the GGC's nursery only; > +// use sparingly, mostly testing for any nursery, using IsInsideNursery, > +// is appropriate. > +bool > +IsInsideGGCNursery(const gc::Cell *cell); This is... okay, I guess. I think I would rather see something like |IsPostBarrierNeededOnCell| than exposing asking for which nursery a Cell is in.
Attachment #8440565 -
Flags: review?(shu) → review+
Assignee | ||
Comment 13•10 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #12) > Comment on attachment 8440565 [details] [diff] [review] > Patch, with test case > > Review of attachment 8440565 [details] [diff] [review]: > ----------------------------------------------------------------- > > [...] > > This is... okay, I guess. I think I would rather see something like > |IsPostBarrierNeededOnCell| than exposing asking for which nursery a Cell is > in. I agree that this feels like a bit of a hack (though I'll land it anyway). I've made an annotation on bug 1020290 since that pertains to cleaning up the situation around having multiple nurseries. (Try run is green, see comment 11.)
Keywords: checkin-needed
Comment 15•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/46ce2f922051
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•