Closed
Bug 701682
Opened 14 years ago
Closed 14 years ago
Assertion failure: cell->compartment() == comp || cell->compartment() == comp->rt->atomsCompartment, at ../../gc/Barrier-inl.h:184
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla11
People
(Reporter: decoder, Assigned: billm)
Details
(Keywords: assertion, testcase, Whiteboard: js-triage-done)
Attachments
(3 files)
|
1.90 KB,
application/x-compressed-tar
|
Details | |
|
1.22 KB,
patch
|
Details | Diff | Splinter Review | |
|
1.33 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The attached test asserts on mozilla-central revision 50c1bcb49c76 (options -m -n).
S-s for now due to GC relatedness.
|
Assignee | |
Comment 1•14 years ago
|
||
Here's what was happening. Normally, if a dense array has dynamic slots, its fixed slots contain garbage and they're not scanned by the GC. During array slowification, they become scannable once we switch the class. We eventually overwrite them with good values, but there's an interval where the GC could see bad values. (The GC can be invoked here through the various add props, I think.)
This tripped an assert in the write barrier code, but I'm guessing it's been a bug for a while.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #573967 -
Flags: review?(bhackett1024)
|
|
Assignee | |
Updated•14 years ago
|
Whiteboard: js-triage-needed → js-triage-done
|
||
Comment 2•14 years ago
|
||
(In reply to Bill McCloskey (:billm) from comment #1)
> Created attachment 573967 [details] [diff] [review] [diff] [details] [review]
> fix
>
> Here's what was happening. Normally, if a dense array has dynamic slots, its
> fixed slots contain garbage and they're not scanned by the GC. During array
> slowification, they become scannable once we switch the class. We eventually
> overwrite them with good values, but there's an interval where the GC could
> see bad values. (The GC can be invoked here through the various add props, I
> think.)
>
> This tripped an assert in the write barrier code, but I'm guessing it's been
> a bug for a while.
I don't think this diagnosis is right. The GC only scans up to the object's slot span, and makeDenseArraySlow fills in the object slots immediately before updating the slot span, so the GC should never try to access those uninitialized slots.
|
|
||
Updated•14 years ago
|
Attachment #573967 -
Flags: review?(bhackett1024)
|
|
Assignee | |
Comment 3•14 years ago
|
||
Attachment #574345 -
Flags: review?(bhackett1024)
|
|
Assignee | |
Comment 4•14 years ago
|
||
Oops, I hit enter by accident.
You're right about the previous patch. It was just a write barrier problem.
|
|
||
Updated•14 years ago
|
Attachment #574345 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Comment 5•14 years ago
|
||
Target Milestone: --- → mozilla11
|
||
Comment 6•14 years ago
|
||
from edmorley : https://hg.mozilla.org/mozilla-central/rev/920c5da54a5c
|
|
Assignee | |
Updated•14 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
Reporter | |
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•