Assertion failure: getSlotRef(THROWTYPEERROR).isUndefined(), at js/src/vm/GlobalObject.h:153

RESOLVED DUPLICATE of bug 1219128

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 1219128
2 years ago
2 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, jsbugmon, testcase})

Trunk
x86_64
Mac OS X
assertion, jsbugmon, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox51 affected)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision 4f72b1d05267 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

x = evalcx("lazy");
oomTest((function() {
    evalcx("({", x);
}))


Backtrace:

0   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x000000010f8b56ce CreateFunctionPrototype(JSContext*, JSProtoKey) + 2222 (GlobalObject.h:153)
1   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x000000010fa84a59 js::GlobalObject::resolveConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) + 729 (RootingAPI.h:717)
2   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x000000010fa84774 js::GlobalObject::ensureConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) + 52 (GlobalObject.cpp:124)
3   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x000000010fc8b094 CreateObjectConstructor(JSContext*, JSProtoKey) + 116 (Object.cpp:1152)
4   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x000000010fa84b32 js::GlobalObject::resolveConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) + 946 (RootingAPI.h:700)
5   js-dbg-64-dm-clang-darwin-4f72b1d05267	0x000000010fa84774 js::GlobalObject::ensureConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) + 52 (GlobalObject.cpp:124)
/snip

For detailed crash information, see attachment.
(Reporter)

Comment 1

2 years ago
Created attachment 8785990 [details]
Detailed Crash Information
(Reporter)

Comment 2

2 years ago
Created attachment 8785991 [details]
OOM_VERBOSE=1 stack from m-c rev 4f72b1d05267
(Reporter)

Comment 3

2 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/69ea294ab4b6
user:        Jon Coppeard
date:        Mon May 16 14:23:09 2016 +0100
summary:     Bug 1272604 - Add a zeal mode to check the heap after a moving GC r=terrence

Setting needinfo? in case bug 1272604 is related.
Blocks: 1272604
Flags: needinfo?(jcoppeard)
(Reporter)

Comment 4

2 years ago
Oops, this is likely a dupe of bug 1276382 which is a dupe of bug 1219128.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
Duplicate of bug: 1219128
You need to log in before you can comment on or make changes to this bug.