Closed
Bug 756236
Opened 13 years ago
Closed 13 years ago
IonMonkey: Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(thing)), at jsgc.cpp:4466
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: assertion, sec-critical, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
3.07 KB,
patch
|
sstangl
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on ionmonkey revision 14735b4dbccc (run with --ion -n -m --ion-eager):
gczeal(4);
function startTest() {}
function TestCase(n, d, e, a)
dump = (function () {});
if (typeof document != "object" || !document.location.href.match(/jsreftest.html/)) {}
function writeHeaderToLog( string ) {}
var SECTION = "11.4.5";
new TestCase( SECTION, "var MYVAR= void 0; --MYVAR", NaN, eval("var MYVAR=void 0; --MYVAR") );
new TestCase( SECTION, "var MYVAR=0;--MYVAR;MYVAR", -1, eval("var MYVAR=0;--MYVAR;MYVAR") );
new TestCase( SECTION, "var MYVAR=0;--MYVAR;MYVAR", -1, eval("var MYVAR=0;--MYVAR;MYVAR") );
|
Assignee | |
Comment 1•13 years ago
|
||
Bug is that setprop ICs don't emit write barriers. Patch tomorrow.
Assignee: general → dvander
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 2•13 years ago
|
||
I added some stuff to MacroAssembler so we don't have to make an AutoIonContextAlloc thing everywhere.
Attachment #625184 -
Flags: review?
|
|
Assignee | |
Updated•13 years ago
|
Attachment #625184 -
Flags: review? → review?(sstangl)
|
||
Comment 3•13 years ago
|
||
Comment on attachment 625184 [details] [diff] [review]
fix
Review of attachment 625184 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/ion/IonCaches.cpp
@@ +346,5 @@
>
> if (obj->isFixedSlot(shape->slot())) {
> Address addr(object(), JSObject::getFixedSlotOffset(shape->slot()));
> +
> + if (cx->compartment->needsBarrier())
Since ICs are flushed with GC, this code can remain as-is even with the patch preserving Ion code. As a note to myself, I should remember to leave a comment here.
Attachment #625184 -
Flags: review?(sstangl) → review+
|
|
Assignee | |
Comment 4•13 years ago
|
||
Thanks for the quick review - https://bugzilla.mozilla.org/show_bug.cgi?id=756236
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 5•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
Reporter | |
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
||
Updated•13 years ago
|
status-firefox-esr10:
--- → unaffected
Keywords: sec-critical
|
|
Reporter | |
Updated•13 years ago
|
Group: core-security
|
|
Reporter | |
Comment 6•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•