Last Comment Bug 756851 - "Assertion failure: hasAllFlags(OBJECT_FLAG_DYNAMIC_MASK),"
: "Assertion failure: hasAllFlags(OBJECT_FLAG_DYNAMIC_MASK),"
Status: VERIFIED FIXED
js-triage-done
: assertion, regression, sec-critical, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla15
Assigned To: Till Schneidereit [:till]
:
:
Mentors:
: 756778 756779 756863 (view as bug list)
Depends on:
Blocks: jsfunfuzz 755604 756796 756797 756798
  Show dependency treegraph
 
Reported: 2012-05-20 02:01 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-03-13 05:35 PDT (History)
8 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
fixed
unaffected


Attachments
stack (5.49 KB, text/plain)
2012-05-20 02:01 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
fix (1.06 KB, patch)
2012-05-20 10:13 PDT, Till Schneidereit [:till]
wmccloskey: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2012-05-20 02:01:59 PDT
Created attachment 625472 [details]
stack

o0 = {};
g = new ArrayBuffer;
g2 = this;
v = g2.o0.t;
o0 = Object;
print(
    {
        x: gc(gcPreserveCode())
    }
);
for (z = 0; z < 3; z) {}

asserts js debug shell on m-c changeset 642d1a36702f with -m and -n at Assertion failure: hasAllFlags(OBJECT_FLAG_DYNAMIC_MASK),

Tested on 64-bit.

gcPreserveCode seems to be involved but I have no idea how serious this might be, setting s-s to be safe.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   94390:5232403e7b8f
user:        Till Schneidereit
date:        Fri May 18 13:35:43 2012 -0400
summary:     Bug 755604 - Incrementalize JSCompartment::markTypes. r=billm
Comment 1 Till Schneidereit [:till] 2012-05-20 10:13:46 PDT
Created attachment 625500 [details] [diff] [review]
fix

The attached patch fixes the assert.

The problem was a missing call to object->markIfUnmarked before GCMarker::pushObject.

I wonder if maybe pushObject and friends should assert that their targets have been marked to prevent similar issues in the future?
Comment 2 Till Schneidereit [:till] 2012-05-20 10:35:03 PDT
Pushed to try: https://tbpl.mozilla.org/?tree=Try&rev=786e061ae7f3
Comment 3 Bill McCloskey (:billm) 2012-05-20 13:49:06 PDT
Comment on attachment 625500 [details] [diff] [review]
fix

Oops, sorry. I should have caught this.
Comment 4 Till Schneidereit [:till] 2012-05-20 14:17:11 PDT
Thanks Bill!
Comment 5 Andrew McCreight [:mccr8] 2012-05-20 14:35:48 PDT
Pushed to m-c.

https://hg.mozilla.org/mozilla-central/rev/fb3036d9b9e6
Comment 6 Ryan VanderMeulen [:RyanVM] 2012-05-20 14:45:31 PDT
Possible to write a test for this?
Comment 7 Till Schneidereit [:till] 2012-05-20 14:50:21 PDT
I guess I can massage the fuzzer result into a somewhat sane test. Will ask on #jsapi for details.
Comment 8 Christian Holler (:decoder) 2012-05-20 15:26:33 PDT
JSBugMon: This bug has been automatically verified fixed.
Comment 9 Robert Kaiser 2012-05-21 10:25:11 PDT
I guess this can be opened now as it only affected trunk and is verified and in today's Nightly, right?
Comment 10 David Anderson [:dvander] 2012-05-21 16:18:52 PDT
*** Bug 756779 has been marked as a duplicate of this bug. ***
Comment 11 David Anderson [:dvander] 2012-05-21 16:19:26 PDT
*** Bug 756778 has been marked as a duplicate of this bug. ***
Comment 12 Daniel Veditz [:dveditz] 2012-05-22 12:01:32 PDT
The crash stacks in bug 756796 look sec-critical
Comment 13 Luke Wagner [:luke] 2012-05-29 15:45:45 PDT
*** Bug 756863 has been marked as a duplicate of this bug. ***
Comment 14 Christian Holler (:decoder) 2013-03-12 20:05:46 PDT
Test added:

https://hg.mozilla.org/integration/mozilla-inbound/rev/7d147fc0477f
Comment 15 Ed Morley [:emorley] 2013-03-13 05:35:41 PDT
https://hg.mozilla.org/mozilla-central/rev/7d147fc0477f

Note You need to log in before you can comment on or make changes to this bug.