TM: "Assertion failure: tree->ip != ip,"

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
8 years ago
6 years ago

People

(Reporter: gkw, Assigned: Igor Bukanov)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking2.0 betaN+, status1.9.2 unaffected, status1.9.1 unaffected)

Details

(Whiteboard: [sg:critical] fixed-in-tracemonkey)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
uneval = function(){}
Function("\
  function zz(aa) {\
    if (aa) this.a = decodeURIComponent;\
    gc();\
    delete this.a\
  }\
  for each(c in [0, 0, 0, 0, 0, 0, 0, new Boolean(false), \
                  0, new Boolean(false), new Boolean(false), \"\"]) {\
    l=new zz(c)\
  }\
")()

asserts js debug shell on TM changeset 98c134cf59ef with -j at Assertion failure: tree->ip != ip,

Setting s-s because this involves gc.
(Reporter)

Updated

8 years ago
blocking2.0: --- → ?
(Reporter)

Comment 1

8 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   54494:b079aae53212
user:        Igor Bukanov
date:        Tue Sep 21 14:58:19 2010 +0200
summary:     bug 597736 - fixing TreeFragment leak. r=gal
Blocks: 597736
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected

Updated

8 years ago
Assignee: general → igor
blocking2.0: ? → betaN+
(Assignee)

Comment 2

8 years ago
Created attachment 480735 [details] [diff] [review]
v1

In the bug 597736 I have missed that TraceMonitor::sweep() must abort the recording if it trashes any peer related to a fragment with dead gc things.
(Assignee)

Updated

8 years ago
Attachment #480735 - Flags: review?(gal)

Comment 3

8 years ago
Comment on attachment 480735 [details] [diff] [review]
v1

I think we should factor out the purge-this-tree code and then call it for the recorder fragment instead of wedging these two things into each other.
(Assignee)

Comment 4

8 years ago
(In reply to comment #3)
> I think we should factor out the purge-this-tree code and then call it for the
> recorder fragment instead of wedging these two things into each other.

I am not sure what do you mean here. The recorder contains just one of the peers, right? Yet any peer with dead fragment implies trashing all the peers. Or do you suggest to move the check for the recorder fragment into TrashTree and abort the recording there?

Comment 5

8 years ago
I mean that I don't want to this from inside the loop checking whether we have arrived at a specific fragment and instead just do it before the loop.
(Assignee)

Comment 6

8 years ago
(In reply to comment #5)
> I mean that I don't want to this from inside the loop checking whether we have
> arrived at a specific fragment and instead just do it before the loop.

AFAICS recorder's fragment with dead GC things is special since trashing it does not imply trashing other peers (recording can just be aborted) while recorded peers with dead things mean trashing all the peers. I do not see how to factor that out.

Updated

8 years ago
Whiteboard: [sg:critical]
(Assignee)

Comment 7

8 years ago
gal: could you comment on the above
gal?
gal, double ping?
(In reply to comment #5)
> I mean that I don't want to this from inside the loop checking whether we have
> arrived at a specific fragment and instead just do it before the loop.

So is that an "r-" then? Trying to figure out whose court the ball is in here: waiting on review, or waiting on a new patch?
gal, triple ping. :-) I think this bug is stalled until you + or - the patch.

Updated

8 years ago
Attachment #480735 - Flags: review?(gal) → review+
(Assignee)

Updated

8 years ago
Whiteboard: [sg:critical] → [sg:critical] fixed-in-tracemonkey

Comment 13

8 years ago
http://hg.mozilla.org/mozilla-central/rev/5177ee4c10d6
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Duplicate of this bug: 600884
Group: core-security
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.