The default bug view has changed. See this FAQ.

"Assertion failure: clasp->flags & (1<<5),"

RESOLVED FIXED in mozilla15

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: gkw, Assigned: billm)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla15
x86
Linux
assertion, regression, testcase
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [js:p1][fuzzblocker])

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 625359 [details]
stack

try {} catch(e) {}
(function() {
    gcslice(62)
})()

asserts js debug shell on m-c changeset 642d1a36702f without any CLI arguments at Assertion failure: clasp->flags & (1<<5),

gcslice at play but I'm not sure if this is truly risk-free so locking s-s.
(Reporter)

Comment 1

5 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   94413:f45eec2bd4c7
user:        Luke Wagner
date:        Tue Dec 20 17:42:45 2011 -0800
summary:     Bug 690135 - create scope objects eagerly or not at all (r=jimb)
Blocks: 690135
(Assignee)

Updated

5 years ago
Assignee: general → wmccloskey
No longer blocks: 349611, 690135
(Reporter)

Updated

5 years ago
Blocks: 349611

Comment 2

5 years ago
I'm not able to reproduce this:

src$ hg parent
changeset:   94417:642d1a36702f
parent:      94360:9dab33fa5ff4
parent:      94416:47c8f2d06763
user:        Ryan VanderMeulen <ryanvm@gmail.com>
date:        Fri May 18 20:40:16 2012 -0400
summary:     Merge the last PGO-green inbound changeset to m-c.

src$ file obj~/shell/js
obj~/shell/js: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, not stripped
src$ cat ~/moz/scope-crash.js 
try {} catch(e) {}
(function() {
    gcslice(62)
})()
src$ obj~/js -f ~/moz/scope-crash.js 
src$ grep ^MOZ_DEBUG obj~/config/autoconf.mk 
MOZ_DEBUG	= 1
MOZ_DEBUG_SYMBOLS = 1
MOZ_DEBUG_ENABLE_DEFS		= -DDEBUG -D_DEBUG -DTRACING
MOZ_DEBUG_DISABLE_DEFS	= -DNDEBUG -DTRIMMED
MOZ_DEBUG_FLAGS	= -g3 -O0
MOZ_DEBUG_LDFLAGS=
src$

Comment 3

5 years ago
I got it to crash; you just need to find the right gcslice value. I searched using this command (bash):

for ((i=0; i<500; i++)); do if ! obj~/js -e 'try {} catch(e) {}; (function() { gcslice('$i')})()'; then echo $i; break; fi; done

For me, the right value is 84: 

src$ obj~/js -e 'try {} catch(e) {}; (function() { gcslice(84)})()'
Assertion failure: clasp->flags & (1<<5), at /home/jimb/moz/dbg/js/src/gc/Marking.cpp:1126
Aborted (core dumped)
src$

Comment 4

5 years ago
It seems like this is a crash that could be encountered in the wild. I don't know if it's s-s or not yet; that depends on what kind of invariant that assertion is checking.
(Reporter)

Comment 5

5 years ago
Setting [fuzzblocker] nonetheless. It happens pretty often.
Whiteboard: js-triage-needed → [fuzzblocker] js-triage-needed
(Assignee)

Comment 6

5 years ago
Created attachment 625850 [details] [diff] [review]
patch

We need this stupid flag on every class with a trace hook. It's annoying.
Attachment #625850 - Flags: review?(luke)
Bill, this is just the assertion you added to check when something is turning IGC off, right?  If that's the case, it seems like it doesn't need to s-s.

Updated

5 years ago
Attachment #625850 - Flags: review?(luke) → review+
(Assignee)

Updated

5 years ago
Group: core-security
(Assignee)

Updated

5 years ago
Duplicate of this bug: 756843
(Assignee)

Comment 9

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/9de1e72ad539
Target Milestone: --- → mozilla15
Whiteboard: [fuzzblocker] js-triage-needed → [js:p1][fuzzblocker]
https://hg.mozilla.org/mozilla-central/rev/9de1e72ad539
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 11

5 years ago
gcslice value varies -> fragile -> in-testsuite-
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.