Closed
Bug 1038396
Opened 10 years ago
Closed 10 years ago
Assertion failure: !(thing->zone()->isGCSweeping() || thing->zone()->isGCFinished()), at gc/Marking.cpp or Assertion failure: *ptr == 0xE9, at jit/shared/Assembler-x86-shared.h
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
VERIFIED
FIXED
mozilla33
Tracking | Status | |
---|---|---|
firefox32 | --- | unaffected |
firefox33 | --- | verified |
firefox34 | --- | unaffected |
firefox-esr24 | --- | unaffected |
People
(Reporter: gkw, Assigned: ehoogeveen)
References
Details
(Keywords: assertion, regression, testcase)
Attachments
(3 files)
The attached testcase asserts js debug shell on m-c changeset 340b19c14d3d with --baseline-eager at Assertion failure: !(thing->zone()->isGCSweeping() || thing->zone()->isGCFinished()), at gc/Marking.cpp Tested using: https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx64-debug/1405343714/jsshell-mac64.zip === Tinderbox Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20140711133913" and the hash "e0a49f64ef4f". The "bad" changeset has the timestamp "20140711135424" and the hash "7c366c305105". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e0a49f64ef4f&tochange=7c366c305105 Note that this is fairly intermittent and the gcslice value can change. Also, setting s-s but not adding a rating as I'm not sure how the gcslice function can affect real-world usage. Terrence, is bug 1017165 a likely regressor?
Flags: needinfo?(terrence)
Reporter | ||
Comment 1•10 years ago
|
||
The js shells from tbpl do not have useful stacks.
Reporter | ||
Updated•10 years ago
|
status-firefox32:
--- → unaffected
status-firefox33:
--- → affected
Summary: Assertion failure: !(thing->zone()->isGCSweeping() || thing->zone()->isGCFinished()), at gc/Marking.cpp → Assertion failure: !(thing->zone()->isGCSweeping() || thing->zone()->isGCFinished()), at gc/Marking.cpp or Assertion failure: *ptr == 0xE9, at jit/shared/Assembler-x86-shared.h
Reporter | ||
Comment 3•10 years ago
|
||
RyanVM told me over IRC that bug 1017165 got backed out, which probably fixed this.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(terrence)
Resolution: --- → FIXED
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Comment 4•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•10 years ago
|
Assignee: nobody → emanuel.hoogeveen
Target Milestone: --- → mozilla33
Updated•10 years ago
|
status-firefox34:
--- → unaffected
status-firefox-esr24:
--- → unaffected
Updated•10 years ago
|
Group: javascript-core-security
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•