Last Comment Bug 756851 - "Assertion failure: hasAllFlags(OBJECT_FLAG_DYNAMIC_MASK),"
: "Assertion failure: hasAllFlags(OBJECT_FLAG_DYNAMIC_MASK),"
: assertion, regression, sec-critical, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: mozilla15
Assigned To: Till Schneidereit [till]
: Jason Orendorff [:jorendorff]
: 756778 756779 756863 (view as bug list)
Depends on:
Blocks: jsfunfuzz 755604 756796 756797 756798
  Show dependency treegraph
Reported: 2012-05-20 02:01 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-03-13 05:35 PDT (History)
8 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stack (5.49 KB, text/plain)
2012-05-20 02:01 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
fix (1.06 KB, patch)
2012-05-20 10:13 PDT, Till Schneidereit [till]
wmccloskey: review+
Details | Diff | Splinter Review

Description User image Gary Kwong [:gkw] [:nth10sd] 2012-05-20 02:01:59 PDT
Created attachment 625472 [details]

o0 = {};
g = new ArrayBuffer;
g2 = this;
v = g2.o0.t;
o0 = Object;
        x: gc(gcPreserveCode())
for (z = 0; z < 3; z) {}

asserts js debug shell on m-c changeset 642d1a36702f with -m and -n at Assertion failure: hasAllFlags(OBJECT_FLAG_DYNAMIC_MASK),

Tested on 64-bit.

gcPreserveCode seems to be involved but I have no idea how serious this might be, setting s-s to be safe.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   94390:5232403e7b8f
user:        Till Schneidereit
date:        Fri May 18 13:35:43 2012 -0400
summary:     Bug 755604 - Incrementalize JSCompartment::markTypes. r=billm
Comment 1 User image Till Schneidereit [till] 2012-05-20 10:13:46 PDT
Created attachment 625500 [details] [diff] [review]

The attached patch fixes the assert.

The problem was a missing call to object->markIfUnmarked before GCMarker::pushObject.

I wonder if maybe pushObject and friends should assert that their targets have been marked to prevent similar issues in the future?
Comment 2 User image Till Schneidereit [till] 2012-05-20 10:35:03 PDT
Pushed to try:
Comment 3 User image Bill McCloskey (:billm) 2012-05-20 13:49:06 PDT
Comment on attachment 625500 [details] [diff] [review]

Oops, sorry. I should have caught this.
Comment 4 User image Till Schneidereit [till] 2012-05-20 14:17:11 PDT
Thanks Bill!
Comment 5 User image Andrew McCreight [:mccr8] 2012-05-20 14:35:48 PDT
Pushed to m-c.
Comment 6 User image Ryan VanderMeulen [:RyanVM] 2012-05-20 14:45:31 PDT
Possible to write a test for this?
Comment 7 User image Till Schneidereit [till] 2012-05-20 14:50:21 PDT
I guess I can massage the fuzzer result into a somewhat sane test. Will ask on #jsapi for details.
Comment 8 User image Christian Holler (:decoder) 2012-05-20 15:26:33 PDT
JSBugMon: This bug has been automatically verified fixed.
Comment 9 User image Robert Kaiser 2012-05-21 10:25:11 PDT
I guess this can be opened now as it only affected trunk and is verified and in today's Nightly, right?
Comment 10 User image David Anderson [:dvander] 2012-05-21 16:18:52 PDT
*** Bug 756779 has been marked as a duplicate of this bug. ***
Comment 11 User image David Anderson [:dvander] 2012-05-21 16:19:26 PDT
*** Bug 756778 has been marked as a duplicate of this bug. ***
Comment 12 User image Daniel Veditz [:dveditz] 2012-05-22 12:01:32 PDT
The crash stacks in bug 756796 look sec-critical
Comment 13 User image Luke Wagner [:luke] 2012-05-29 15:45:45 PDT
*** Bug 756863 has been marked as a duplicate of this bug. ***
Comment 14 User image Christian Holler (:decoder) 2013-03-12 20:05:46 PDT
Test added:
Comment 15 User image Ed Morley [:emorley] 2013-03-13 05:35:41 PDT

Note You need to log in before you can comment on or make changes to this bug.