Closed
Bug 667507
Opened 13 years ago
Closed 13 years ago
TM/JM: "Assertion failure: shape->previous() == obj->lastProperty()," with gc
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla8
Tracking | Status | |
---|---|---|
firefox5 | - | unaffected |
firefox6 | - | unaffected |
firefox7 | + | fixed |
status1.9.2 | --- | unaffected |
People
(Reporter: gkw, Assigned: igor)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical?][needs aurora landing for Fx7][qa-])
Attachments
(2 files)
5.33 KB,
text/plain
|
Details | |
3.97 KB,
patch
|
gal
:
review+
christian
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
for (i = 0; i < 10; i++) { Object.defineProperty({}, "", { get: function() {} }) gc() } asserts js debug shell on TM changeset bf147b22f72c with -m, -a and -j at Assertion failure: shape->previous() == obj->lastProperty(), Locking s-s because this involves gc and just-to-be-safe. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 71353:dc137da5a3b4 user: Igor Bukanov date: Tue May 31 10:01:09 2011 +0200 summary: Bug 657198 - improving unreachable GC things detection in traces. r=gal
Reporter | ||
Comment 1•13 years ago
|
||
Tested on 64-bit shell on Mac.
Comment 2•13 years ago
|
||
Guessing at severity. Igor, please correct if I'm overly pessimistic
Assignee: general → igor
Whiteboard: [sg:critical?]
Updated•13 years ago
|
status-firefox5:
--- → unaffected
status-firefox6:
--- → affected
status-firefox7:
--- → affected
tracking-firefox5:
--- → -
tracking-firefox6:
--- → +
tracking-firefox7:
--- → +
Updated•13 years ago
|
Assignee | ||
Comment 3•13 years ago
|
||
When fixing bug 657198 I have missed that under recording fragment's code is yet set. So my patch their ignored the recording fragment when scanning for GC things. This should fix the issue.
Attachment #543785 -
Flags: review?(gal)
Comment 4•13 years ago
|
||
Comment on attachment 543785 [details] [diff] [review] v1 IsFragmentGraphWithUnreachableGCThingImpl is a terrible name. At least take Impl off. How about ContainsUnrechableGCThing() ? r+ either way though. Try to pick a better name at your leisure.
Attachment #543785 -
Flags: review?(gal) → review+
Assignee | ||
Comment 5•13 years ago
|
||
http://hg.mozilla.org/integration/mozilla-inbound/rev/eb800178da45 - pushed with extra comments and the suggested name change.
Whiteboard: [sg:critical?] → [sg:critical?] [inbound]
Comment 6•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/eb800178da45
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical?] [inbound] → [sg:critical?]
Target Milestone: --- → mozilla8
Comment 7•13 years ago
|
||
Is this patch good for 7? If so, please request aurora approval.
Assignee | ||
Updated•13 years ago
|
Attachment #543785 -
Flags: approval-mozilla-aurora?
Comment on attachment 543785 [details] [diff] [review] v1 Approved for releases/mozilla-aurora. Please land ASAP.
Attachment #543785 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•13 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?][needs aurora landing for Fx7]
Updated•13 years ago
|
Comment 10•13 years ago
|
||
Marking fixed for 7 now that this landed on Aurora!
Comment 11•13 years ago
|
||
Does this affect 1.9.2? If so we'll need to take it for 1.9.2.21
Assignee | ||
Comment 12•13 years ago
|
||
(In reply to Christian Legnitto [:LegNeato] from comment #11) > Does this affect 1.9.2? No - the bug is a regression from the bug 657198 which is in turn a regression from the bug 597736. And that bug (a leak) is wontfix for 1.9.2.
Updated•13 years ago
|
status1.9.2:
--- → unaffected
Comment 13•13 years ago
|
||
qa- as no QA fix verification needed
Whiteboard: [sg:critical?][needs aurora landing for Fx7] → [sg:critical?][needs aurora landing for Fx7][qa-]
Updated•12 years ago
|
Group: core-security
Reporter | ||
Comment 14•12 years ago
|
||
Test committed with fix, marking verified based on that.
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•