Closed Bug 1172482 Opened 10 years ago Closed 10 years ago

Crash [@ js::gc::TenuredCell::zone] or Crash [@ DispatchToTracer<JS::Value>]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1172498
Tracking Flags:
Tracking Status
firefox41 --- affected

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:update,testComment=3,ignore])

Crash Data

The following testcase crashes on mozilla-central revision 7d4ab4a9febd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe): gczeal(14, 17); test(); function test(x) { new test(); } Backtrace: Program received signal SIGSEGV, Segmentation fault. js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1413 #0 js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1413 #1 0x000000000061cdaf in MustSkipMarking<JSObject*> (obj=0x7ffff4d7d340) at js/src/gc/Marking.cpp:615 #2 DoMarking<JSObject*> (thing=0x7ffff4d7d340, gcmarker=0x7ffff6944230) at js/src/gc/Marking.cpp:645 #3 operator()<JSObject> (this=<synthetic pointer>, gcmarker=0x7ffff6944230, t=0x7ffff4d7d340) at js/src/gc/Marking.cpp:657 #4 js::DispatchValueTyped<DoMarkingFunctor<JS::Value>, js::GCMarker*&>(DoMarkingFunctor<JS::Value>, JS::Value const&, (decltype ({parm#1}((JSObject*)((decltype(nullptr))0), (Forward<js::GCMarker*&>)({parm#3})))&&)...) (f=..., val=...) at ../../dist/include/js/Value.h:1875 #5 0x000000000061eea4 in DoMarking<JS::Value> (val=..., gcmarker=0x7ffff6944230) at js/src/gc/Marking.cpp:664 #6 DispatchToTracer<JS::Value> (trc=<optimized out>, thingp=<optimized out>, name=<optimized out>) at js/src/gc/Marking.cpp:583 #7 0x000000000061f076 in js::TraceRootRange<JS::Value> (trc=trc@entry=0x7ffff6944230, len=2, vec=vec@entry=0x7ffffff92da8, name=name@entry=0xd9bbb6 "baseline-args") at js/src/gc/Marking.cpp:472 #8 0x000000000082fd71 in js::jit::BaselineFrame::trace (this=0x7ffffff92d38, trc=trc@entry=0x7ffff6944230, frameIterator=...) at js/src/jit/BaselineFrame.cpp:40 #9 0x000000000090b8f3 in MarkJitActivation (activations=..., trc=<optimized out>) at js/src/jit/JitFrames.cpp:1524 #10 js::jit::MarkJitActivations (rt=<optimized out>, trc=trc@entry=0x7ffff6944230) at js/src/jit/JitFrames.cpp:1558 #11 0x00000000008039f1 in js::gc::GCRuntime::markRuntime (this=this@entry=0x7ffff693c350, trc=trc@entry=0x7ffff6944230, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::MarkRuntime, rootsSource=rootsSource@entry=js::gc::GCRuntime::TraceRoots) at js/src/gc/RootMarking.cpp:515 #12 0x0000000000b29c01 in js::gc::GCRuntime::beginMarkPhase (this=this@entry=0x7ffff693c350, reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:3915 #13 0x0000000000b59c90 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff693c350, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:5785 #14 0x0000000000b5ad55 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff693c350, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6030 #15 0x0000000000b5b152 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff693c350, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6142 #16 0x0000000000b5b4a0 in js::gc::GCRuntime::gc (this=0x7ffff693c350, gckind=<optimized out>, reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6203 #17 0x0000000000b5c832 in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff693c350) at js/src/jsgc.cpp:6621 #18 0x00000000005d4f57 in js::gc::GCRuntime::gcIfNeededPerAllocation (this=this@entry=0x7ffff693c350, cx=cx@entry=0x7ffff691b4e0) at js/src/gc/Allocator.cpp:28 #19 0x000000000061287f in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=0x7ffff693c350, cx=0x7ffff691b4e0, kind=js::gc::FIRST) at js/src/gc/Allocator.cpp:55 #20 0x000000000061e26a in js::Allocate<JSObject, (js::AllowGC)1> (cx=cx@entry=0x7ffff691b4e0, kind=kind@entry=js::gc::FIRST, nDynamicSlots=0, heap=heap@entry=js::gc::TenuredHeap, clasp=clasp@entry=0x1a4e320 <JSFunction::class_>) at js/src/gc/Allocator.cpp:119 #21 0x0000000000727129 in JSObject::create (cx=0x7ffff691b4e0, kind=js::gc::FIRST, heap=js::gc::TenuredHeap, shape=..., group=...) at js/src/jsobjinlines.h:303 #22 0x0000000000afd247 in NewObject (cx=0x7ffff691b4e0, group=..., kind=js::gc::FIRST, newKind=js::SingletonObject) at js/src/jsobj.cpp:1102 #23 0x0000000000afe59a in js::NewObjectWithClassProtoCommon (cxArg=cxArg@entry=0x7ffff691b4e0, clasp=clasp@entry=0x1a4e320 <JSFunction::class_>, protoArg=..., protoArg@entry=..., allocKind=<optimized out>, allocKind@entry=js::gc::FIRST, newKind=newKind@entry=js::SingletonObject) at js/src/jsobj.cpp:1234 #24 0x0000000000b5ccc4 in NewObjectWithClassProto (newKind=js::SingletonObject, allocKind=js::gc::FIRST, proto=..., clasp=0x1a4e320 <JSFunction::class_>, cx=0x7ffff691b4e0) at js/src/jsobjinlines.h:668 #25 js::NewFunctionWithProto (cx=cx@entry=0x7ffff691b4e0, native=native@entry=0x6be4b0 <js::SavedFrame::construct(JSContext*, unsigned int, JS::Value*)>, nargs=nargs@entry=0, flags=JSFunction::NATIVE_FUN, enclosingDynamicScope=..., atom=..., proto=..., allocKind=js::gc::FIRST, newKind=js::SingletonObject) at js/src/jsfun.cpp:2049 #26 0x0000000000b60477 in NewNativeFunction (newKind=<optimized out>, allocKind=<optimized out>, atom=..., nargs=<optimized out>, native=<optimized out>, cx=<optimized out>) at js/src/jsfun.cpp:1995 #27 js::DefineFunction (cx=cx@entry=0x7ffff691b4e0, obj=..., id=..., id@entry=..., native=0x6be4b0 <js::SavedFrame::construct(JSContext*, unsigned int, JS::Value*)>, nargs=0, flags=0, flags@entry=512, allocKind=allocKind@entry=js::gc::FIRST, newKind=newKind@entry=js::GenericObject) at js/src/jsfun.cpp:2276 #28 0x0000000000abc0d1 in JS_DefineFunctions (cx=cx@entry=0x7ffff691b4e0, obj=..., fs=0x1a0bd00 <js::SavedFrame::protoFunctions>, behavior=behavior@entry=DontDefineLateProperties) at js/src/jsapi.cpp:3547 #29 0x00000000006642aa in js::GlobalObject::resolveConstructor (cx=cx@entry=0x7ffff691b4e0, global=..., key=key@entry=JSProto_SavedFrame) at js/src/vm/GlobalObject.cpp:182 #30 0x000000000066466c in js::GlobalObject::ensureConstructor (cx=cx@entry=0x7ffff691b4e0, global=..., global@entry=..., key=key@entry=JSProto_SavedFrame) at js/src/vm/GlobalObject.cpp:99 #31 0x00000000006f5dfa in getOrCreateSavedFramePrototype (global=..., cx=0x7ffff691b4e0) at js/src/vm/GlobalObject.h:397 #32 js::SavedStacks::createFrameFromLookup (this=this@entry=0x7ffff69580a0, cx=cx@entry=0x7ffff691b4e0, lookup=..., lookup@entry=...) at js/src/vm/SavedStacks.cpp:1058 #33 0x00000000006f6206 in js::SavedStacks::getOrCreateSavedFrame (this=this@entry=0x7ffff69580a0, cx=cx@entry=0x7ffff691b4e0, lookup=...) at js/src/vm/SavedStacks.cpp:1037 #34 0x00000000006f7139 in js::SavedStacks::insertFrames (this=this@entry=0x7ffff69580a0, cx=cx@entry=0x7ffff691b4e0, iter=..., frame=..., frame@entry=..., maxFrameCount=1, maxFrameCount@entry=128) at js/src/vm/SavedStacks.cpp:969 #35 0x00000000006f737c in js::SavedStacks::saveCurrentStack (this=this@entry=0x7ffff69580a0, cx=cx@entry=0x7ffff691b4e0, frame=frame@entry=..., maxFrameCount=maxFrameCount@entry=128) at js/src/vm/SavedStacks.cpp:808 #36 0x0000000000a7fad4 in JS::CaptureCurrentStack (cx=cx@entry=0x7ffff691b4e0, stackp=..., stackp@entry=..., maxFrameCount=maxFrameCount@entry=128) at js/src/jsapi.cpp:6027 #37 0x0000000000aff66f in CaptureStack (stack=..., cx=0x7ffff691b4e0) at js/src/jsexn.cpp:284 #38 js::ErrorToException (cx=cx@entry=0x7ffff691b4e0, message=message@entry=0x7ffff4cbcdc0 "too much recursion", reportp=reportp@entry=0x7fffffdfddb0, callback=<optimized out>, userRef=<optimized out>) at js/src/jsexn.cpp:558 #39 0x0000000000a802a8 in ReportError (cx=0x7ffff691b4e0, message=0x7ffff4cbcdc0 "too much recursion", reportp=0x7fffffdfddb0, callback=<optimized out>, userRef=<optimized out>) at js/src/jscntxt.cpp:229 #40 0x0000000000a9280a in js::ReportErrorNumberVA (cx=0x7ffff691b4e0, flags=0, callback=0xa685d0 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=110, argumentsType=js::ArgumentsAreASCII, ap=0x7fffffdfde78) at js/src/jscntxt.cpp:746 #41 0x0000000000a928ab in JS_ReportErrorNumberVA (cx=<optimized out>, errorCallback=<optimized out>, userRef=<optimized out>, errorNumber=<optimized out>, ap=ap@entry=0x7fffffdfde78) at js/src/jsapi.cpp:5155 #42 0x0000000000a92936 in JS_ReportErrorNumber (cx=cx@entry=0x7ffff691b4e0, errorCallback=errorCallback@entry=0xa685d0 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=110) at js/src/jsapi.cpp:5144 #43 0x0000000000a93076 in js::ReportOverRecursed (maybecx=maybecx@entry=0x7ffff691b4e0) at js/src/jscntxt.cpp:349 #44 0x0000000000a22f74 in js::jit::CheckOverRecursed (cx=0x7ffff691b4e0) at js/src/jit/VMFunctions.cpp:97 #45 0x00007ffff7fed3b9 in ?? () #46 0x0000000000000000 in ?? () rax 0x2 2 rbx 0x7ffff4d7d340 140737301173056 rcx 0x7fffffdfbd20 140737486241056 rdx 0x7ffff4d7d000 140737301172224 rsi 0xfffbffffffffffff -1125899906842625 rdi 0x7d340 512832 rbp 0x7fffffdfbcd0 140737486240976 rsp 0x7fffffdfbcc0 140737486240960 r8 0x1 1 r9 0x7ffff6944230 140737330299440 r10 0x40003 262147 r11 0x2 2 r12 0x7ffff6944230 140737330299440 r13 0xfffa7fffffffffff -1548112371908609 r14 0x2 2 r15 0x7ffffff92db0 140737487908272 rip 0x59d0fa <js::gc::TenuredCell::zone() const+74> => 0x59d0fa <js::gc::TenuredCell::zone() const+74>: mov (%rdx),%rbx 0x59d0fd <js::gc::TenuredCell::zone() const+77>: mov %rbx,%rdi Marking s-s until investigated.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150604061136" and the hash "81fe755dfd47". The "bad" changeset has the timestamp "20150604062845" and the hash "dbc89e025b5f". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=81fe755dfd47&tochange=dbc89e025b5f
Keywords: sec-high
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 3d11cb4f31b9).
This is an automated crash issue comment: Summary: Crash [@ js::gc::TenuredCell::zone] Build version: mozilla-central revision 0b2f5e8b7be5 Build flags: --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug Runtime options: --ion-eager --ion-offthread-compile=off Testcase: gczeal(14, 1); function InstanceOf( object_1, object_2, expect ) {} function Gen2(value) { function Gen1(value) {} Gen1.prototype = new Gen2(); } InstanceOf( new Gen2(), Gen1, false ); Backtrace: Program received signal SIGSEGV, Segmentation fault. js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1413 #0 js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1413 #1 0x000000000062102f in MustSkipMarking<JSObject*> (obj=0x7ffff7e7f940) at js/src/gc/Marking.cpp:615 #2 DoMarking<JSObject*> (thing=0x7ffff7e7f940, gcmarker=0x7ffff69441c8) at js/src/gc/Marking.cpp:645 #3 operator()<JSObject> (this=<synthetic pointer>, gcmarker=0x7ffff69441c8, t=0x7ffff7e7f940) at js/src/gc/Marking.cpp:657 #4 js::DispatchValueTyped<DoMarkingFunctor<JS::Value>, js::GCMarker*&>(DoMarkingFunctor<JS::Value>, JS::Value const&, (decltype ({parm#1}((JSObject*)((decltype(nullptr))0), (Forward<js::GCMarker*&>)({parm#3})))&&)...) (f=..., val=...) at ../../dist/include/js/Value.h:1875 #5 0x00000000006237c4 in DoMarking<JS::Value> (val=..., gcmarker=0x7ffff69441c8) at js/src/gc/Marking.cpp:664 #6 DispatchToTracer<JS::Value> (trc=<optimized out>, thingp=<optimized out>, name=<optimized out>) at js/src/gc/Marking.cpp:583 #7 0x0000000000623996 in js::TraceRootRange<JS::Value> (trc=trc@entry=0x7ffff69441c8, len=2, vec=vec@entry=0x7fffffffa778, name=name@entry=0xd9c2be "baseline-args") at js/src/gc/Marking.cpp:472 #8 0x000000000083a7a1 in js::jit::BaselineFrame::trace (this=0x7fffffffa708, trc=trc@entry=0x7ffff69441c8, frameIterator=...) at js/src/jit/BaselineFrame.cpp:40 #9 0x000000000090eec3 in MarkJitActivation (activations=..., trc=<optimized out>) at js/src/jit/JitFrames.cpp:1534 #10 js::jit::MarkJitActivations (rt=<optimized out>, trc=trc@entry=0x7ffff69441c8) at js/src/jit/JitFrames.cpp:1569 #11 0x000000000080f141 in js::gc::GCRuntime::markRuntime (this=this@entry=0x7ffff693c350, trc=trc@entry=0x7ffff69441c8, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::MarkRuntime, rootsSource=rootsSource@entry=js::gc::GCRuntime::TraceRoots) at js/src/gc/RootMarking.cpp:491 #12 0x0000000000b1ec05 in js::gc::GCRuntime::beginMarkPhase (this=this@entry=0x7ffff693c350, reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:3908 #13 0x0000000000b49f20 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff693c350, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:5797 #14 0x0000000000b4afd2 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff693c350, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6042 #15 0x0000000000b4b3d2 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff693c350, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6154 #16 0x0000000000b4b730 in js::gc::GCRuntime::gc (this=0x7ffff693c350, gckind=<optimized out>, reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6215 #17 0x0000000000b4bf8d in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff693c350) at js/src/jsgc.cpp:6633 #18 0x00000000005d9427 in js::gc::GCRuntime::gcIfNeededPerAllocation (this=this@entry=0x7ffff693c350, cx=cx@entry=0x7ffff691b4e0) at js/src/gc/Allocator.cpp:28 #19 0x0000000000616b7f in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=0x7ffff693c350, cx=0x7ffff691b4e0, kind=js::gc::OBJECT16_BACKGROUND) at js/src/gc/Allocator.cpp:55 #20 0x0000000000622b04 in js::Allocate<JSObject, (js::AllowGC)1> (cx=cx@entry=0x7ffff691b4e0, kind=kind@entry=js::gc::OBJECT16_BACKGROUND, nDynamicSlots=0, heap=heap@entry=js::gc::TenuredHeap, clasp=clasp@entry=0x1a0b540 <js::PlainObject::class_>) at js/src/gc/Allocator.cpp:121 #21 0x000000000072803b in JSObject::create (cx=0x7ffff691b4e0, kind=js::gc::OBJECT16_BACKGROUND, heap=<optimized out>, shape=..., group=...) at js/src/jsobjinlines.h:309 #22 0x0000000000afe7b7 in NewObject (cx=0x7ffff691b4e0, group=..., kind=js::gc::OBJECT16_BACKGROUND, newKind=js::SingletonObject, initialShapeFlags=<optimized out>) at js/src/jsobj.cpp:693 #23 0x0000000000b5150b in NewObjectWithGroup<js::PlainObject> (newKind=js::SingletonObject, allocKind=js::gc::OBJECT16, group=..., cx=0x7ffff691b4e0) at js/src/jsobjinlines.h:763 #24 CreateThisForFunctionWithGroup (newKind=js::SingletonObject, group=..., cx=0x7ffff691b4e0) at js/src/jsobj.cpp:963 #25 js::CreateThisForFunctionWithProto (cx=cx@entry=0x7ffff691b4e0, callee=callee@entry=..., proto=proto@entry=..., newKind=newKind@entry=js::SingletonObject) at js/src/jsobj.cpp:1007 #26 0x0000000000b51c19 in js::CreateThisForFunction (cx=cx@entry=0x7ffff691b4e0, callee=callee@entry=..., newKind=js::SingletonObject) at js/src/jsobj.cpp:1032 #27 0x000000000063b0d0 in js::RunState::maybeCreateThisForConstructor (this=this@entry=0x7fffffff9930, cx=cx@entry=0x7ffff691b4e0) at js/src/vm/Interpreter.cpp:348 #28 0x0000000000957663 in js::jit::CanEnter (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/jit/Ion.cpp:2416 #29 0x00000000006879e5 in js::RunScript (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:629 #30 0x0000000000688087 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, args=..., construct=construct@entry=js::CONSTRUCT) at js/src/vm/Interpreter.cpp:729 #31 0x00000000006919b7 in js::InvokeConstructor (cx=cx@entry=0x7ffff691b4e0, args=...) at js/src/vm/Interpreter.cpp:796 #32 0x0000000000691cfb in js::InvokeConstructor (cx=cx@entry=0x7ffff691b4e0, fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffffffa6b8, newTargetInArgv=newTargetInArgv@entry=true, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:826 #33 0x00000000008b660d in js::jit::DoCallFallback (cx=0x7ffff691b4e0, frame=0x7fffffffa708, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffa6a8, res=...) at js/src/jit/BaselineIC.cpp:9845 #34 0x00007ffff7feebdf in ?? () [...] #44 0x0000000000000000 in ?? () rax 0x2 2 rbx 0x7ffff7e7f940 140737352563008 rcx 0x7fffffff8a90 140737488325264 rdx 0x7ffff7e7f000 140737352560640 rsi 0xfffbffffffffffff -1125899906842625 rdi 0x7f940 522560 rbp 0x7fffffff8a40 140737488325184 rsp 0x7fffffff8a30 140737488325168 r8 0x1 1 r9 0x8 8 r10 0x1 1 r11 0x8c4542 9192770 r12 0x7ffff69441c8 140737330299336 r13 0xfffa7fffffffffff -1548112371908609 r14 0x2 2 r15 0x7fffffffa780 140737488332672 rip 0x509c7e <js::gc::TenuredCell::zone() const+78> => 0x509c7e <js::gc::TenuredCell::zone() const+78>: mov (%rdx),%rbx 0x509c81 <js::gc::TenuredCell::zone() const+81>: mov %rbx,%rdi
Still reproduces per comment 3 and also has a different signature on ARM builds. Requesting another bisection.
Summary: Crash [@ js::gc::TenuredCell::zone] → Crash [@ js::gc::TenuredCell::zone] or Crash [@ DispatchToTracer<JS::Value>]
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisect,testComment=3]
Whiteboard: [jsbugmon:update,bisect,testComment=3] → [jsbugmon:update,testComment=3]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150603171146" and the hash "faafd199bf97". The "bad" changeset has the timestamp "20150603172045" and the hash "d22779079708". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=faafd199bf97&tochange=d22779079708
Crash Signature: [@ js::gc::TenuredCell::zone] → [@ js::gc::TenuredCell::zone] [@ DispatchToTracer<T>(JSTracer*, JSObject**, char const*)] [@ DispatchToTracer<T>]
Crash Signature: [@ js::gc::TenuredCell::zone] [@ DispatchToTracer<T>(JSTracer*, JSObject**, char const*)] [@ DispatchToTracer<T>] → [@ js::gc::TenuredCell::zone] [@ DispatchToTracer<T>(JSTracer*, JSObject**, char const*)] [@ DispatchToTracer<T>]
Whiteboard: [jsbugmon:update,testComment=3] → [jsbugmon:update,testComment=3,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f1b3144fed94).
Crash signatures in comment 6 are still showing up in recent builds. Could you look into this Eric and see if you can figure out what is going on with these test cases?
Crash Signature: [@ js::gc::TenuredCell::zone] [@ DispatchToTracer<T>(JSTracer*, JSObject**, char const*)] [@ DispatchToTracer<T>] → [@ js::gc::TenuredCell::zone] [@ DispatchToTracer<T>(JSTracer*, JSObject**, char const*)] [@ DispatchToTracer<T>]
Flags: needinfo?(efaustbmo)
I cannot make this reproduce for me at all. Have we seen it in the wild since the uplift in bug 1172498? It seems likely to be related.
Flags: needinfo?(efaustbmo)
(In reply to Eric Faust [:efaust] from comment #9) > I cannot make this reproduce for me at all. Have we seen it in the wild > since the uplift in bug 1172498? It seems likely to be related. Yeah, this does not reproduce for me on central starting exactly with revision c6a517d18f12, the fix for bug 1172498.
Thanks for looking into this.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.