Closed
Bug 756851
Opened 12 years ago
Closed 12 years ago
"Assertion failure: hasAllFlags(OBJECT_FLAG_DYNAMIC_MASK),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla15
| Tracking | Status | |
|---|---|---|
| firefox14 | --- | unaffected |
| firefox15 | --- | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: till)
References
Details
(4 keywords, Whiteboard: js-triage-done)
Attachments
(2 files)
|
5.49 KB,
text/plain
|
Details | |
|
1.06 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
o0 = {};
g = new ArrayBuffer;
g2 = this;
v = g2.o0.t;
o0 = Object;
print(
{
x: gc(gcPreserveCode())
}
);
for (z = 0; z < 3; z) {}
asserts js debug shell on m-c changeset 642d1a36702f with -m and -n at Assertion failure: hasAllFlags(OBJECT_FLAG_DYNAMIC_MASK),
Tested on 64-bit.
gcPreserveCode seems to be involved but I have no idea how serious this might be, setting s-s to be safe.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 94390:5232403e7b8f
user: Till Schneidereit
date: Fri May 18 13:35:43 2012 -0400
summary: Bug 755604 - Incrementalize JSCompartment::markTypes. r=billm
|
Assignee | |
Comment 1•12 years ago
|
||
The attached patch fixes the assert. The problem was a missing call to object->markIfUnmarked before GCMarker::pushObject. I wonder if maybe pushObject and friends should assert that their targets have been marked to prevent similar issues in the future?
Assignee: general → tschneidereit+bmo
Status: NEW → ASSIGNED
Attachment #625500 -
Flags: review?(wmccloskey)
|
|
Assignee | |
Comment 2•12 years ago
|
||
Pushed to try: https://tbpl.mozilla.org/?tree=Try&rev=786e061ae7f3
Comment on attachment 625500 [details] [diff] [review] fix Oops, sorry. I should have caught this.
Attachment #625500 -
Flags: review?(wmccloskey) → review+
|
||
Comment 5•12 years ago
|
||
Pushed to m-c. https://hg.mozilla.org/mozilla-central/rev/fb3036d9b9e6
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
|
|
||
Updated•12 years ago
|
Keywords: checkin-needed
|
|
||
Updated•12 years ago
|
status-firefox14:
--- → unaffected
status-firefox15:
--- → fixed
|
|
Assignee | |
Comment 7•12 years ago
|
||
I guess I can massage the fuzzer result into a somewhat sane test. Will ask on #jsapi for details.
|
||
Comment 8•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
|
Reporter | |
Updated•12 years ago
|
Whiteboard: js-triage-done
|
|
||
Comment 9•12 years ago
|
||
I guess this can be opened now as it only affected trunk and is verified and in today's Nightly, right?
|
||
Comment 12•12 years ago
|
||
The crash stacks in bug 756796 look sec-critical
status-firefox-esr10:
--- → unaffected
Keywords: sec-critical
|
|
||
Updated•12 years ago
|
Group: core-security
|
|
||
Comment 14•11 years ago
|
||
Test added: https://hg.mozilla.org/integration/mozilla-inbound/rev/7d147fc0477f
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•