Closed
Bug 1094827
Opened 10 years ago
Closed 10 years ago
Assertion failure in JSScript::maybeSweepTypes
Categories
(Core :: JavaScript: GC, defect)
Core
JavaScript: GC
Tracking
()
RESOLVED
FIXED
mozilla36
| Tracking | Status | |
|---|---|---|
| firefox35 | --- | unaffected |
| firefox36 | --- | fixed |
| firefox-esr31 | --- | unaffected |
People
(Reporter: jonco, Assigned: bhackett1024)
References
Details
(Keywords: regression, sec-high)
Attachments
(3 files)
|
24.01 KB,
patch
|
Details | Diff | Splinter Review | |
|
8.06 KB,
text/plain
|
Details | |
|
1.08 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
Building with the attached patch and running:
JS_GC_ZEAL=14 gdb --args $JS/dist/bin/js jit-test/tests/debug/bug999655.js
Yields the following assertion:
Assertion failure: zone()->isGCSweepingOrCompacting() at js/src/jsinfer.cpp:4971
There doesn't appear to be anything in patch that could trigger this.
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Comment 2•10 years ago
|
||
This looks like it's related to incremental sweeping of type objects. Brian, could you take a look?
Flags: needinfo?(bhackett1024)
|
Assignee | |
Comment 3•10 years ago
|
||
What platform is this? I can't reproduce this.
|
||
Comment 4•10 years ago
|
||
I could only reproduce on linux x64
|
|
||
Comment 5•10 years ago
|
||
../configure --enable-debug --enable-optimize --enable-threadsafe --enable-build-nspr --enable-trace-malloc --disable-shared-js --enable-exact-rooting --enable-gccompacting
as configure flag
|
|
Assignee | |
Updated•10 years ago
|
Group: core-security
Flags: needinfo?(bhackett1024)
|
|
Assignee | |
Comment 6•10 years ago
|
||
This is a regression from bug 999655, actually. When we analyze arguments usage from the debugger we end up analyzing a script in a different compartment from the one the context is in.
Assignee: nobody → bhackett1024
Attachment #8518339 -
Flags: review?(jorendorff)
|
||
Updated•10 years ago
|
Blocks: 999655
status-firefox35:
--- → unaffected
status-firefox36:
--- → affected
Keywords: regression,
sec-high
|
|
||
Updated•10 years ago
|
status-firefox-esr31:
--- → unaffected
|
||
Comment 7•10 years ago
|
||
Comment on attachment 8518339 [details] [diff] [review]
fix
Yep.
Attachment #8518339 -
Flags: review?(jorendorff) → review+
|
|
Assignee | |
Comment 8•10 years ago
|
||
|
|
Assignee | |
Comment 9•10 years ago
|
||
And a followup since I forgot to add the second argument to AutoCompartment (I did test this patch, but on a different computer.)
https://hg.mozilla.org/integration/mozilla-inbound/rev/02f36604f77b
https://hg.mozilla.org/mozilla-central/rev/2f20fe00845d
https://hg.mozilla.org/mozilla-central/rev/02f36604f77b
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
|
|
||
Comment 11•10 years ago
|
||
I now see:
TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/basic/bug656261.js | Timeout (code -9, args "--ion-eager --ion-offthread-compile=off")
TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/basic/bug656261.js | Timeout (code -9, args "--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --no-sse3 --no-threads")
TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/gc/bug-975959.js | Assertion failure: activeParallelEntryScripts_ && activeParallelEntryScripts_->has(script), at /builds/slave/try_l64-d_sm-ggc-0000000000000/src/js/src/jit/Ion.cpp:557 (code -11, args "--ion-eager --ion-offthread-compile=off")
INFO stderr 2> Assertion failure: activeParallelEntryScripts_ && activeParallelEntryScripts_->has(script), at /builds/slave/try_l64-d_sm-ggc-0000000000000/src/js/src/jit/Ion.cpp:557
make[1]: *** [check-jit-test] Error 2
make: *** [check-jit-test] Error 2
https://treeherder.mozilla.org/ui/logviewer.html#?job_id=3052525&repo=try
Is this related, or is this another bug?
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•