Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(*thingp)), at jsgc.cpp:4278

RESOLVED FIXED in mozilla14

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: billm)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla14
x86
Linux
assertion, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed)

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 613840 [details]
Test case for shell (run with -n -m -a)

The attached test asserts on mozilla-central revision 3fa30b0edd15 (options -m -a -n).

Marking s-s because this assertion is GC-related.

Billm: Is this a dup of bug 740509 or some other issue?
(Assignee)

Comment 1

5 years ago
Created attachment 614174 [details] [diff] [review]
patch

This is a regression from bug 739899. When doing conservative stack scanning, I checked the gcRunning flag to see if we should reject things in other compartments. However, this flag is set by AutoHeapSession (i.e., but pretty much anyone who will use the conservative scanner). We really need to be checking IS_GC_MARKING_TRACER.

This doesn't affect the GC or CC, so I don't think it's sensitive.
Attachment #614174 - Flags: review?
(Assignee)

Updated

5 years ago
Group: core-security
(Assignee)

Updated

5 years ago
Attachment #614174 - Flags: review? → review?(igor)

Comment 2

5 years ago
Comment on attachment 614174 [details] [diff] [review]
patch

Review of attachment 614174 [details] [diff] [review]:
-----------------------------------------------------------------

The test is really nice!
Attachment #614174 - Flags: review?(igor) → review+
(Assignee)

Updated

5 years ago
Duplicate of this bug: 744356
(Assignee)

Updated

5 years ago
Duplicate of this bug: 744287
(Assignee)

Comment 5

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/ca36c6b332d8
Target Milestone: --- → mozilla14
https://hg.mozilla.org/mozilla-central/rev/ca36c6b332d8
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 7

5 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug744285.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.