"Assertion failure: (ptrBits & 0x7) == 0,"

VERIFIED FIXED in Firefox 13

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: gkw, Assigned: billm)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla13
x86
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox12 unaffected, firefox13 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [sg:critical] js-triage-needed [advisory-tracking+])

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 597899 [details]
stack

(function() {
    let(d) {
        yield
    }
})()
eval("\
    (function(){\
        schedulegc(5), 'a'.replace(/a/,function(){yield})\
    })\
")()

asserts js debug shell on m-c changeset ebafee0cea36 with -m, -a and -n at Assertion failure: (ptrBits & 0x7) == 0,

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   86695:fbef6a165cf8
user:        Bill McCloskey
date:        Fri Feb 10 18:32:08 2012 -0800
summary:     Bug 723313 - Stop using conservative stack scanner for VM stack marking (r=luke,bhackett)
(Reporter)

Updated

6 years ago
Group: core-security
(Reporter)

Comment 1

6 years ago
Assuming sg:critical and s-s initially after a quick look by billm and I.
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed
(Reporter)

Comment 2

6 years ago
Erm, I updated to tip and this seems gone, probably fixed by bug 714109:

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   86735:f29587aa8965
user:        Terrence Cole
date:        Mon Feb 13 10:01:18 2012 -0800
summary:     Bug 714109 - Add missing barriers to Generator; r=billm
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
(Assignee)

Comment 3

6 years ago
I'm going to re-open this, at least until I can triage it. Bug 714109 wasn't intended to fix existing bugs in the tree, so it's more likely that it's just covering up the problem.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 4

6 years ago
OK, it turns out I was wrong. That patch actually does fix the problem. I pushed a test case here:
  https://hg.mozilla.org/integration/mozilla-inbound/rev/4079180d600c
Status: REOPENED → RESOLVED
Last Resolved: 6 years ago6 years ago
Resolution: --- → FIXED
(Reporter)

Comment 5

6 years ago
>   https://hg.mozilla.org/integration/mozilla-inbound/rev/4079180d600c

Setting in-testsuite+
Flags: in-testsuite? → in-testsuite+

Comment 6

6 years ago
(Normally bugs aren't closed until the cset merges from inbound)

https://hg.mozilla.org/mozilla-central/rev/4079180d600c
Followup: https://hg.mozilla.org/mozilla-central/rev/d16c61316cf4
Assignee: general → wmccloskey
Target Milestone: --- → mozilla13

Updated

6 years ago
status-firefox13: --- → fixed
Group: core-security
status-firefox-esr10: --- → unaffected
status-firefox12: --- → unaffected
(Reporter)

Comment 7

6 years ago
Test committed with fix, marking verified based on that.
Status: RESOLVED → VERIFIED
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-needed [advisory-tracking+]
You need to log in before you can comment on or make changes to this bug.