Closed Bug 661840 Opened 13 years ago Closed 13 years ago

TI: "Assertion failure: addr % Cell::CellSize == 0,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

stack
9.77 KB, text/plain
Details
Attached file stack 
function f(a) {}
s = [{
  s: [],
  s: function(d, b) {},
  t: function() {
    try {} catch (e) {}
  }
}, {
  t: "",
  s: [],
  s: function(d, b) {}
}, {
  t: "",
  s: [],
  s: function(d, b) {},
  t: function() {}
}, {
  t: "",
  x: "",
  s: [],
  g: function(b) {},
  t: function(f) {}
}, {
  t: "",
  s: [],
  s: function() {}
}];
v = 0
Function("gc(evalcx('lazy'))")();
gczeal();
gc();
(function() {
  x
})()

asserts js debug shell on JM changeset 11714be33655 with -n at Assertion failure: addr % Cell::CellSize == 0, when the testcase is passed in as a CLI argument.
Fixed as part of rev a638ecbe6843.  During a compartment GC it is possible to call js_TraceScript on scripts outside the target compartment, and in such cases we would mark any type objects in a list attached to the script (objects for initializers within the script, etc.).  The mark bit would stay set until the next major GC, when we saw the bit and incorrectly thought that the objects/shapes/etc. in the type object had already been traced.  The fix (discussed with billm on IRC) has js_TraceScript detect this situation and do no tracing at all in such cases.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.