Last Comment Bug 722028 - Assertion failure: static_cast<Cell *>(thing)->isMarked(), at jsgc.cpp:3670
: Assertion failure: static_cast<Cell *>(thing)->isMarked(), at jsgc.cpp:3670
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla13
Assigned To: Bill McCloskey (:billm)
:
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2012-01-28 03:18 PST by Christian Holler (:decoder)
Modified: 2013-01-14 07:39 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (1.53 KB, patch)
2012-01-30 11:40 PST, Bill McCloskey (:billm)
bhackett1024: review+
Details | Diff | Review

Description Christian Holler (:decoder) 2012-01-28 03:18:35 PST
The following test asserts on mozilla-central revision 8a59519e137e (options -m -n):


gczeal(4);
var BUGNUMBER = 668024;
var summary =
print(BUGNUMBER + ": " + summary);
var arr = [0, 1, 2, 3, 4, 5, , 7];
var seen = [];
for (var p in arr) {
    if (seen.indexOf(unescape) >= 0) {}
    arr.splice(2, 3);
  seen.push(p);
}


Seems related to incremental GC, so not security relevant for now.
Comment 1 Bill McCloskey (:billm) 2012-01-30 11:40:15 PST
Created attachment 592799 [details] [diff] [review]
patch

Looks like this has been missing since write barriers landed. Oops.
Comment 3 Phil Ringnalda (:philor) 2012-02-10 19:51:03 PST
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/71f5bf4df2f6 - one of the six in that push was crashing in js::gc::Mark<JSString>
Comment 5 Marco Bonardo [::mak] 2012-02-13 09:07:05 PST
https://hg.mozilla.org/mozilla-central/rev/5fe3e1c45867
Comment 6 Christian Holler (:decoder) 2013-01-14 07:39:12 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug722028.js.

Note You need to log in before you can comment on or make changes to this bug.