Closed
Bug 461274
Opened 16 years ago
Closed 16 years ago
TM: Assertion failure: !f->vmprivate
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jruderman, Assigned: automation)
Details
(Keywords: assertion, testcase, Whiteboard: [sg:needinfo] Keep private until next jsfunfuzz release)
Attachments
(1 file)
94.61 KB,
text/javascript
|
Details |
Steps to reproduce: 1. ./js -j e-vmp.js 2. Wait for it to finish (about 3 minutes) Result: Assertion failure: !f->vmprivate, at jstracer.cpp:2959 Security-sensitive for two reasons: (1) Andreas Gal looked at this in gdb and concluded it was random memory corruption, and (2) the testcase is an unreduced fuzzer. I'm using Tracemonkey branch rev a21276dd3974, which is current. I've been hitting this bug occasionally for a few weeks. I was only able to reproduce it by saving the random number generator seed.
Flags: blocking1.9.1?
Reporter | ||
Updated•16 years ago
|
Whiteboard: [sg:critical?] Keep private until next jsfunfuzz release
Reporter | ||
Updated•16 years ago
|
Summary: Assertion failure: !f->vmprivate → TM: Assertion failure: !f->vmprivate
Comment 1•16 years ago
|
||
I think this might be related to the GC bug we are seeing. This seems to be random memory corruption, so we probably want to fix it. danderson and I will try to debug it now. If we can't fix this or it looks unrelated after all, we will switch to https://bugzilla.mozilla.org/show_bug.cgi?id=460875, which is a block (this one is not atm).
Assignee: general → gal
Status: NEW → ASSIGNED
Priority: -- → P1
Comment 2•16 years ago
|
||
We have difficulties reproducing this now. Its unlikely to be a dup 460875 since that bug is not a random heap painting bug as initially assumed.
Reporter | ||
Comment 3•16 years ago
|
||
Do you want to try to debug this in rev a21276dd3974, bisect until we know which patch "fixed" the testcase, or just mark it as WFM and see if I hit it again? Last week, I was hitting it about once a day, so if it's still there it shouldn't take too long for me to find it again.
Comment 4•16 years ago
|
||
sg:needinfo -- is this one fixed/wfm now or not?
Whiteboard: [sg:critical?] Keep private until next jsfunfuzz release → [sg:needinfo] Keep private until next jsfunfuzz release
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Comment 5•16 years ago
|
||
I see this somewhat regularly running my own builds of Thunderbird/Shredder from the trunk with chrome jitting turned on.
Reporter | ||
Comment 6•16 years ago
|
||
I say this is WFM. If anyone is hitting this assertion with other testcases, new bugs should be filed.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Updated•9 years ago
|
Assignee: gal → automation
Assignee | ||
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•