Closed
Bug 511938
Opened 15 years ago
Closed 15 years ago
TM: "Assertion failure: *(uint64*)&global[STOBJ_NSLOTS(JS_GetGlobalForObject(cx, cx->fp->scopeChain))] == 0xdeadbeefdeadbeefLL, at ../jstracer.cpp"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta1-fixed |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
1.40 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
(function () { for (let x = 0; x < 4; ++x) { gczeal(2) } })() asserts dbg js shell on TM branch with -j at Assertion failure: *(uint64*)&global[STOBJ_NSLOTS(JS_GetGlobalForObject(cx, cx->fp->scopeChain))] == 0xdeadbeefdeadbeefLL, at ../jstracer.cpp:5894 Setting security-sensitive due to gczeal. autoBisect coming up after sleep.
Flags: blocking1.9.2?
Reporter | ||
Comment 1•15 years ago
|
||
So I stayed up. autoBisect shows this is probably related to bug 504478: The first bad revision is: changeset: 30365:1440f40669a7 user: Andreas Gal date: Thu Jul 16 18:42:54 2009 -0700 summary: Shrink slots during GC only, split ReallocSlots into Alloc/Grow/ShrinkSlots (504478, r=igor).
Blocks: 504478
Just talked with Andreas about this. Problem is that we set a poison value using STOBJ_NSLOTS(globalObj), and check it again later. But in between NSLOTS(globalObj) could have changed because of ShrinkSlots. So, just a bogus assertion. Should be moved to ExecuteTree.
Reporter | ||
Comment 3•15 years ago
|
||
(In reply to comment #2) > So, just a bogus assertion. Should be moved to ExecuteTree. Could this then be easily fixed? It's happening with moderate frequency in jsfunfuzz now...
Comment 4•15 years ago
|
||
Attachment #399359 -
Flags: review?(dvander)
Updated•15 years ago
|
Attachment #399359 -
Flags: review?(dvander) → review+
Comment 5•15 years ago
|
||
Looks good.
Reporter | ||
Updated•15 years ago
|
Keywords: checkin-needed
Comment 8•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/38753aa920e8
Keywords: checkin-needed
Whiteboard: fixed-in-tracemonkey
Comment 9•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/38753aa920e8
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 11•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/d021cc6099c5
status1.9.2:
--- → beta1-fixed
Flags: wanted1.9.2+
Updated•13 years ago
|
Group: core-security
Comment 12•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•