Assertion failure: str, at ../../jsval.h:702 or Crash [@ JSString::isAtom] with OOM

RESOLVED FIXED in mozilla13

Status

()

--
critical
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: decoder, Assigned: billm)

Tracking

(Blocks: 1 bug, {assertion, crash, testcase})

Trunk
mozilla13
x86_64
Linux
assertion, crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
The following test asserts on mozilla-central revision 9bde0d25d76e (options -m -n -a):


var lfcode = new Array();
lfcode.push("function test()\
    gc();\
    gcparam(\"maxBytes\", gcparam(\"gcBytes\") + 4*1024);\
  function complexMult(a, b) {\
  function complexAdd(a, b) {\
  function abs(a) {\
  function computeEscapeSpeed(c) {\
  function createMandelSet(realRange, imagRange) {}\
      }\
    }\
  }\
}\
");
lfcode.push("function testLambdaCtor( _    )  {\
    for (var x = 0; x < 2; ++x) {\
        var f = function(){};\
        if (x == 1) gc();\
        q = new f;\
    }\
    return q.__proto__ === (testLambdaCtor(\"9.2.1.7 XMLList [[DeepCopy]]\"));\
}\
assertEq(testLambdaCtor(), true);\
");
while (true) {
        var file = lfcode.shift(); if (file == undefined) { break; }
        if (file == "evaluate") {
        } else {
                evaluate(file); //loadFile(file);
        }
}
function loadFile(lfVarx) {
        try {
                if (lfVarx.substr(-3) == ".js") {
                } else {
                        evaluate(lfVarx);
                }
        } catch (lfVare) {      }
}


Originally, this asserted as:

Assertion failure: !hasLazyType(), at ../jsobj.h:867


Crashes afterwards seem like safe null-pointer crashes (probably due to OOM).
Created attachment 600065 [details] [diff] [review]
don't oom in shell GC

Missing null check.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #600065 - Flags: review?(luke)

Updated

7 years ago
Attachment #600065 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/f00bab9999f9
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.