Closed Bug 756732 Opened 12 years ago Closed 12 years ago

"Assertion failure: clasp->flags & (1<<5),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla15

People

(Reporter: gkw, Assigned: billm)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [js:p1][fuzzblocker])

Attachments

(2 files)

stack
4.04 KB, text/plain
Details
patch
964 bytes, patch
luke
: review+
Details | Diff | Splinter Review
Attached file stack 
try {} catch(e) {}
(function() {
    gcslice(62)
})()

asserts js debug shell on m-c changeset 642d1a36702f without any CLI arguments at Assertion failure: clasp->flags & (1<<5),

gcslice at play but I'm not sure if this is truly risk-free so locking s-s.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   94413:f45eec2bd4c7
user:        Luke Wagner
date:        Tue Dec 20 17:42:45 2011 -0800
summary:     Bug 690135 - create scope objects eagerly or not at all (r=jimb)
Blocks: 690135
Assignee: general → wmccloskey
No longer blocks: 690135
I'm not able to reproduce this:

src$ hg parent
changeset:   94417:642d1a36702f
parent:      94360:9dab33fa5ff4
parent:      94416:47c8f2d06763
user:        Ryan VanderMeulen <ryanvm@gmail.com>
date:        Fri May 18 20:40:16 2012 -0400
summary:     Merge the last PGO-green inbound changeset to m-c.

src$ file obj~/shell/js
obj~/shell/js: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, not stripped
src$ cat ~/moz/scope-crash.js 
try {} catch(e) {}
(function() {
    gcslice(62)
})()
src$ obj~/js -f ~/moz/scope-crash.js 
src$ grep ^MOZ_DEBUG obj~/config/autoconf.mk 
MOZ_DEBUG	= 1
MOZ_DEBUG_SYMBOLS = 1
MOZ_DEBUG_ENABLE_DEFS		= -DDEBUG -D_DEBUG -DTRACING
MOZ_DEBUG_DISABLE_DEFS	= -DNDEBUG -DTRIMMED
MOZ_DEBUG_FLAGS	= -g3 -O0
MOZ_DEBUG_LDFLAGS=
src$
I got it to crash; you just need to find the right gcslice value. I searched using this command (bash):

for ((i=0; i<500; i++)); do if ! obj~/js -e 'try {} catch(e) {}; (function() { gcslice('$i')})()'; then echo $i; break; fi; done

For me, the right value is 84: 

src$ obj~/js -e 'try {} catch(e) {}; (function() { gcslice(84)})()'
Assertion failure: clasp->flags & (1<<5), at /home/jimb/moz/dbg/js/src/gc/Marking.cpp:1126
Aborted (core dumped)
src$
It seems like this is a crash that could be encountered in the wild. I don't know if it's s-s or not yet; that depends on what kind of invariant that assertion is checking.
Setting [fuzzblocker] nonetheless. It happens pretty often.
Whiteboard: js-triage-needed → [fuzzblocker] js-triage-needed
Attached patch patchSplinter Review 
We need this stupid flag on every class with a trace hook. It's annoying.
Attachment #625850 - Flags: review?(luke)
Bill, this is just the assertion you added to check when something is turning IGC off, right?  If that's the case, it seems like it doesn't need to s-s.
Attachment #625850 - Flags: review?(luke) → review+
Group: core-security
Whiteboard: [fuzzblocker] js-triage-needed → [js:p1][fuzzblocker]
https://hg.mozilla.org/mozilla-central/rev/9de1e72ad539
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
gcslice value varies -> fragile -> in-testsuite-
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.