Closed
Bug 1120603
Opened 9 years ago
Closed 9 years ago
Assertion failure: isNursery == IsInsideNursery(obj), at builtin/TestingFunctions.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox37 | --- | unaffected |
firefox38 | --- | disabled |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker])
Attachments
(1 file)
3.94 KB,
text/plain
|
Details |
(function() { try { (function() { gcparam('maxBytes', gcparam('gcBytes') + 1) })(); h } catch (e) {} })() makeFinalizeObserver('nursery') asserts js debug shell intermittently on m-c changeset cac64af410a1 with --fuzzing-safe --gc-zeal=7 --no-baseline --ion-offthread-compile=off --ion-eager at Assertion failure: isNursery == IsInsideNursery(obj), at builtin/TestingFunctions.cpp. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests This is happening regularly, but I don't know if this assert hides anything bad, so setting s-s to be safe first, and setting needinfo? from Jon and Terrence as a start. autoBisect is running.
Flags: needinfo?(terrence)
Flags: needinfo?(jcoppeard)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x22197, 0x00000001000edf36 js-dbg-opt-64-dm-nsprBuild-darwin-cac64af410a1`MakeFinalizeObserver(cx=<unavailable>, argc=<unavailable>, vp=<unavailable>) + 726 at TestingFunctions.cpp:1038, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001000edf36 js-dbg-opt-64-dm-nsprBuild-darwin-cac64af410a1`MakeFinalizeObserver(cx=<unavailable>, argc=<unavailable>, vp=<unavailable>) + 726 at TestingFunctions.cpp:1038 frame #1: 0x000000010074bdac js-dbg-opt-64-dm-nsprBuild-darwin-cac64af410a1`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [inlined] js::CallJSNative(native=0x00000001000edc60)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 76 at jscntxtinlines.h:227 frame #2: 0x000000010074bd60 js-dbg-opt-64-dm-nsprBuild-darwin-cac64af410a1`js::Invoke(cx=0x0000000101c14e20, args=CallArgs at 0x00007fff5fbfe6d0, construct=<unavailable>) + 560 at Interpreter.cpp:498 frame #3: 0x000000010076848d js-dbg-opt-64-dm-nsprBuild-darwin-cac64af410a1`Interpret(cx=<unavailable>, state=<unavailable>) + 49405 at Interpreter.cpp:2556 frame #4: 0x000000010075c369 js-dbg-opt-64-dm-nsprBuild-darwin-cac64af410a1`js::RunScript(cx=0x0000000101c14e20, state=0x00007fff5fbff0d8) + 345 at Interpreter.cpp:448 (lldb)
Reporter | ||
Comment 2•9 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/311c6349e630 user: Terrence Cole date: Tue Jan 06 15:25:26 2015 -0800 summary: Bug 1085597 - Expose a nursery finalized class to the fuzzers for fuzzing; r=jonco Bug 1085597 probably exposed this. Thanks for the fuzzer-friendly function!
Comment 3•9 years ago
|
||
This hasn't been enabled yet, I believe. (In fact, I think the mentioned patch just got backed out.)
Comment 4•9 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #3) > This hasn't been enabled yet, I believe. (In fact, I think the mentioned > patch just got backed out.) I guess, on further reflection, that the presence of the other testing functions makes it impossible to guarantee nursery allocation. I think we'll just have to live with the C++ tests and accept less coverage of this feature.
Group: core-security
Severity: critical → normal
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(terrence)
Resolution: --- → FIXED
Updated•9 years ago
|
Flags: needinfo?(jcoppeard)
You need to log in
before you can comment on or make changes to this bug.
Description
•