Closed Bug 673792 Opened 13 years ago Closed 13 years ago

TI: "Assertion failure: thing->compartment() == gcmarker->context->runtime->gcCurrentCompartment,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase)

a = {}.__proto__ gc(evalcx('split')) asserts js debug shell on JM changeset 8c7adf094b8e without any CLI arguments at Assertion failure: thing->compartment() == gcmarker->context->runtime->gcCurrentCompartment, This was found using a combination of jsfunfuzz and jandem's method fuzzer.
There was no compartment check when tracing type objects found by the conservative stack scanner, so we could end up marking objects from the wrong compartment during a per-compartment GC. http://hg.mozilla.org/projects/jaegermonkey/rev/681d2903edb7
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.