Closed
Bug 1901407
Opened 4 months ago
Closed 4 months ago
Assertion failure: this->flags() == 0, at /root/src/js/src/gc/Cell.h:798
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
129 Branch
Tracking | Status | |
---|---|---|
firefox129 | --- | fixed |
People
(Reporter: nils.bars, Assigned: jandem)
References
(Blocks 1 open bug)
Details
Attachments
(2 files)
Steps to reproduce:
This bug seems to be flakey and does not trigger every time on my machine.
Checkout commit 15778b8c32f8535624fff2af36fc669e65a9af3 and invoke the js shell as follows:
/root/js-spidermonkey-shell --fast-warmup --ion-check-range-analysis --ion-extra-checks --fuzzing-safe --disable-oom-functions --enable-new-set-methods --small-function-length=2048 --inlining-entry-threshold=16 --gc-zeal=10,90 --ion-scalar-replacement=on --ion-pruning=off --ion-range-analysis=off --ion-inlining=on --ion-gvn=on --ion-osr=off --ion-edgecase-analysis=on --spectre-mitigations=on --ion-limit-script-size=on --ion-offthread-compile=off --ion-optimize-gcbarriers=on --ion-iterator-indices=off --no-ggc --ion-optimize-shapeguards=on --ion-licm=on --ion-instruction-reordering=off --cache-ir-stubs=on --no-sse41 --monomorphic-inlining=never --ion-load-keys=off --ion-sink=off <testcase>
Actual results:
Assertion failure: this->flags() == 0, at /root/src/js/src/gc/Cell.h:798
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Version: Firefox 125 → Trunk
Updated•4 months ago
|
Group: core-security → javascript-core-security
Assignee | ||
Comment 1•4 months ago
|
||
I can reproduce this intermittently with rr record -h
with --gc-zeal=10
with the reduced test below.
var mod = new WebAssembly.Module(wasmTextToBinary(`(func)`))
var inst = new WebAssembly.Instance(mod);
for (var i = 0; i < 5; i++) {
newGlobal({"sameZoneAs": this}).Debugger(this).findScripts();
}
Assignee | ||
Updated•4 months ago
|
Assignee: nobody → jdemooij
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee | ||
Comment 2•4 months ago
|
||
Assignee | ||
Comment 3•4 months ago
|
||
The code that's affected/changed is a debug assertion.
Group: javascript-core-security
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f948b0d908e2
Use MaybeForwardedObjectIs in DebuggerScript::trace. r=jonco
Comment 5•4 months ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
status-firefox129:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•