Closed Bug 1038396 Opened 10 years ago Closed 10 years ago

Assertion failure: !(thing->zone()->isGCSweeping() || thing->zone()->isGCFinished()), at gc/Marking.cpp or Assertion failure: *ptr == 0xE9, at jit/shared/Assembler-x86-shared.h

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla33
Tracking Flags:
Tracking Status
firefox32 --- unaffected
firefox33 --- verified
firefox34 --- unaffected
firefox-esr24 --- unaffected

People

(Reporter: gkw, Assigned: ehoogeveen)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(3 files)

testcase
5.96 KB, text/plain
Details
stack without symbols
1.95 KB, text/plain
Details
unreduced testcase showing second assertion
195.83 KB, text/plain
Details
Attached file testcase 
The attached testcase asserts js debug shell on m-c changeset 340b19c14d3d with --baseline-eager at Assertion failure: !(thing->zone()->isGCSweeping() || thing->zone()->isGCFinished()), at gc/Marking.cpp

Tested using:

https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx64-debug/1405343714/jsshell-mac64.zip

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20140711133913" and the hash "e0a49f64ef4f".
The "bad" changeset has the timestamp "20140711135424" and the hash "7c366c305105".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e0a49f64ef4f&tochange=7c366c305105

Note that this is fairly intermittent and the gcslice value can change. Also, setting s-s but not adding a rating as I'm not sure how the gcslice function can affect real-world usage.

Terrence, is bug 1017165 a likely regressor?
Flags: needinfo?(terrence)
Attached file stack without symbols 
The js shells from tbpl do not have useful stacks.
status-firefox32: --- → unaffected
status-firefox33: --- → affected
Summary: Assertion failure: !(thing->zone()->isGCSweeping() || thing->zone()->isGCFinished()), at gc/Marking.cpp → Assertion failure: !(thing->zone()->isGCSweeping() || thing->zone()->isGCFinished()), at gc/Marking.cpp or Assertion failure: *ptr == 0xE9, at jit/shared/Assembler-x86-shared.h
RyanVM told me over IRC that bug 1017165 got backed out, which probably fixed this.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(terrence)
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
status-firefox33: affectedverified
JSBugMon: This bug has been automatically verified fixed.
Assignee: nobody → emanuel.hoogeveen
Target Milestone: --- → mozilla33
Group: javascript-core-security
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: