Closed
Bug 1479076
Opened 7 years ago
Closed 7 years ago
Assertion failure: thingZone == zone || thingZone->isAtomsZone(), at js/src/gc/GC.cpp:4153
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla63
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | unaffected |
firefox61 | --- | unaffected |
firefox62 | --- | unaffected |
firefox63 | --- | fixed |
People
(Reporter: gkw, Assigned: arai)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
8.42 KB,
text/plain
|
Details | |
1.32 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 35a17ebc4ee6 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):
// jsfunfuzz-generated
fullcompartmentchecks(true);
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/Debugger-findScripts-23.js
var dbg = new Debugger();
var g = newGlobal();
g.eval("function f(){}");
dbg.addDebuggee(g);
dbg.findScripts();
Backtrace:
#0 0x0000000001c600e6 in CompartmentCheckTracer::onChild (this=0x7ffe10917a20, thing=...) at js/src/gc/GC.cpp:4153
#1 0x00000000015c83eb in JS::CallbackTracer::onLazyScriptEdge (this=0x7ffe10917a20, lazyp=<optimized out>) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-35a17ebc4ee6/objdir-js/dist/include/js/TracingAPI.h:171
#2 0x0000000001ce7600 in JS::CallbackTracer::dispatchToOnEdge (this=0x7ffe10917a20, lazyp=0x7ffe109178f0) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-35a17ebc4ee6/objdir-js/dist/include/js/TracingAPI.h:257
#3 DoCallback<js::LazyScript*> (trc=0x7ffe10917a20, thingp=0x7ffe109178f0, name=0x25bed3 "Debugger.Script lazy script referent") at js/src/gc/Tracer.cpp:51
#4 0x000000000181951e in DebuggerScript_trace (trc=0x7ffe10917a28, obj=0x7f7b73c8d1f0) at js/src/vm/Debugger.cpp:5271
#5 0x00000000018c276b in js::Class::doTrace (trc=<optimized out>, obj=<optimized out>, this=<optimized out>) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-35a17ebc4ee6/objdir-js/dist/include/js/Class.h:893
/snip
For detailed crash information, see attachment.
![]() |
Reporter | |
Comment 1•7 years ago
|
||
![]() |
Reporter | |
Comment 2•7 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/b67ea788a6f3
user: Tooru Fujisawa
date: Thu Jul 26 12:36:17 2018 +0900
summary: Bug 1434305 - Part 8: Support wrapping LazyScript in DebuggerScriptReferent. r=jimb
arai-san, is bug 1434305 a likely regressor?
Blocks: 1434305
Flags: needinfo?(arai.unmht)
Assignee | ||
Comment 3•7 years ago
|
||
Thanks!
Added LazyScript::maybeCompartment to match the result of LazyScript::compartment
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Flags: needinfo?(arai.unmht)
Attachment #8995695 -
Flags: review?(jcoppeard)
Updated•7 years ago
|
Attachment #8995695 -
Flags: review?(jcoppeard) → review+
Assignee | ||
Comment 4•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/7252e88797e3912780c4a2637da8ff8e0e30f90b
Bug 1479076 - Add LazyScript::maybeCompartment. r=jonco
Comment 5•7 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Updated•7 years ago
|
status-firefox61:
--- → unaffected
status-firefox62:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•