Closed Bug 667507 Opened 13 years ago Closed 13 years ago

TM/JM: "Assertion failure: shape->previous() == obj->lastProperty()," with gc

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla8
Tracking Status
firefox5 - unaffected
firefox6 - unaffected
firefox7 + fixed
status1.9.2 --- unaffected

People

(Reporter: gkw, Assigned: igor)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical?][needs aurora landing for Fx7][qa-])

Attachments

(2 files)

Attached file stack
for (i = 0; i < 10; i++) {
    Object.defineProperty({}, "", {
        get: function() {}
    })
    gc()
}

asserts js debug shell on TM changeset bf147b22f72c with -m, -a and -j at Assertion failure: shape->previous() == obj->lastProperty(),

Locking s-s because this involves gc and just-to-be-safe.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   71353:dc137da5a3b4
user:        Igor Bukanov
date:        Tue May 31 10:01:09 2011 +0200
summary:     Bug 657198 - improving unreachable GC things detection in traces. r=gal
Tested on 64-bit shell on Mac.
Guessing at severity. Igor, please correct if I'm overly pessimistic
Assignee: general → igor
Whiteboard: [sg:critical?]
Attached patch v1Splinter Review
When fixing bug 657198 I have missed that under recording fragment's code is yet set. So my patch their ignored the recording fragment when scanning for GC things. This should fix the issue.
Attachment #543785 - Flags: review?(gal)
Comment on attachment 543785 [details] [diff] [review]
v1

IsFragmentGraphWithUnreachableGCThingImpl is a terrible name. At least take Impl off. How about ContainsUnrechableGCThing() ? r+ either way though. Try to pick a better name at your leisure.
Attachment #543785 - Flags: review?(gal) → review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/eb800178da45 - pushed with extra comments and the suggested name change.
Whiteboard: [sg:critical?] → [sg:critical?] [inbound]
http://hg.mozilla.org/mozilla-central/rev/eb800178da45
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical?] [inbound] → [sg:critical?]
Target Milestone: --- → mozilla8
Is this patch good for 7? If so, please request aurora approval.
Attachment #543785 - Flags: approval-mozilla-aurora?
Comment on attachment 543785 [details] [diff] [review]
v1

Approved for releases/mozilla-aurora. Please land ASAP.
Attachment #543785 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Whiteboard: [sg:critical?] → [sg:critical?][needs aurora landing for Fx7]
Marking fixed for 7 now that this landed on Aurora!
Does this affect 1.9.2? If so we'll need to take it for 1.9.2.21
(In reply to Christian Legnitto [:LegNeato] from comment #11)
> Does this affect 1.9.2? 

No - the bug is a regression from the bug 657198 which is in turn a regression from the bug 597736. And that bug (a leak) is wontfix for 1.9.2.
qa- as no QA fix verification needed
Whiteboard: [sg:critical?][needs aurora landing for Fx7] → [sg:critical?][needs aurora landing for Fx7][qa-]
Group: core-security
Test committed with fix, marking verified based on that.
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.