Closed
Bug 756851
Opened 12 years ago
Closed 12 years ago
"Assertion failure: hasAllFlags(OBJECT_FLAG_DYNAMIC_MASK),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla15
Tracking | Status | |
---|---|---|
firefox14 | --- | unaffected |
firefox15 | --- | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: till)
References
Details
(4 keywords, Whiteboard: js-triage-done)
Attachments
(2 files)
5.49 KB,
text/plain
|
Details | |
1.06 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
o0 = {}; g = new ArrayBuffer; g2 = this; v = g2.o0.t; o0 = Object; print( { x: gc(gcPreserveCode()) } ); for (z = 0; z < 3; z) {} asserts js debug shell on m-c changeset 642d1a36702f with -m and -n at Assertion failure: hasAllFlags(OBJECT_FLAG_DYNAMIC_MASK), Tested on 64-bit. gcPreserveCode seems to be involved but I have no idea how serious this might be, setting s-s to be safe. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 94390:5232403e7b8f user: Till Schneidereit date: Fri May 18 13:35:43 2012 -0400 summary: Bug 755604 - Incrementalize JSCompartment::markTypes. r=billm
Assignee | ||
Comment 1•12 years ago
|
||
The attached patch fixes the assert. The problem was a missing call to object->markIfUnmarked before GCMarker::pushObject. I wonder if maybe pushObject and friends should assert that their targets have been marked to prevent similar issues in the future?
Assignee: general → tschneidereit+bmo
Status: NEW → ASSIGNED
Attachment #625500 -
Flags: review?(wmccloskey)
Assignee | ||
Comment 2•12 years ago
|
||
Pushed to try: https://tbpl.mozilla.org/?tree=Try&rev=786e061ae7f3
Comment on attachment 625500 [details] [diff] [review] fix Oops, sorry. I should have caught this.
Attachment #625500 -
Flags: review?(wmccloskey) → review+
Comment 5•12 years ago
|
||
Pushed to m-c. https://hg.mozilla.org/mozilla-central/rev/fb3036d9b9e6
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
Updated•12 years ago
|
Keywords: checkin-needed
Updated•12 years ago
|
status-firefox14:
--- → unaffected
status-firefox15:
--- → fixed
Assignee | ||
Comment 7•12 years ago
|
||
I guess I can massage the fuzzer result into a somewhat sane test. Will ask on #jsapi for details.
Comment 8•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Updated•12 years ago
|
Whiteboard: js-triage-done
Comment 9•12 years ago
|
||
I guess this can be opened now as it only affected trunk and is verified and in today's Nightly, right?
Comment 12•12 years ago
|
||
The crash stacks in bug 756796 look sec-critical
status-firefox-esr10:
--- → unaffected
Keywords: sec-critical
Updated•12 years ago
|
Group: core-security
Comment 14•11 years ago
|
||
Test added: https://hg.mozilla.org/integration/mozilla-inbound/rev/7d147fc0477f
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•