Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 767074 - Assertion failure: (ptrBits & 0x7) == 0, at jsval.h:731 or Crash [@ js::gc::ArenaHeader::allocated]
: Assertion failure: (ptrBits & 0x7) == 0, at jsval.h:731 or Crash [@ js::gc::A...
: assertion, crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla16
Assigned To: Bill McCloskey (:billm)
: Jason Orendorff [:jorendorff]
: 767964 770712 (view as bug list)
Depends on:
Blocks: langfuzz 767964
  Show dependency treegraph
Reported: 2012-06-21 11:33 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:36 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (1.35 KB, patch)
2012-07-02 18:10 PDT, Bill McCloskey (:billm)
bhackett1024: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-06-21 11:33:03 PDT
The following test asserts on mozilla-central revision c83282305cb9 (options -m -n -a):

var callStack = new Array();
function exitFunc (funcName) {
  var lastFunc = callStack.pop();
var sb = evalcx('');
sb.parent = this;
this.f = function name(outer) {
        return (exitFunc ('test'));
evalcx('this.f = parent.f; var s = ""; for (i = 0; i < 10; ++i) s += f(true); s', sb);

S-s due to assertion known to be dangerous.
Comment 1 Christian Holler (:decoder) 2012-06-25 05:54:11 PDT
This now shows up as

Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:825
Comment 2 Bill McCloskey (:billm) 2012-07-02 18:10:56 PDT
Created attachment 638559 [details] [diff] [review]

This bug is similar to bug 753283. We run for a while in the methodjit and then we return to the interpreter to finish running the method. We return with the PC set to a SETLOCAL op. We immediately call the barrier verifier, which scans the VM stack. It expects the slot referenced by the SETLOCAL to be valid, but the SETLOCAL hasn't run yet, so it's uninitialized.

The patch just avoids running the verifier at the start of the Interpret when a rejoin is taking place.
Comment 3 Bill McCloskey (:billm) 2012-07-02 18:11:08 PDT
*** Bug 767964 has been marked as a duplicate of this bug. ***
Comment 4 Bill McCloskey (:billm) 2012-07-05 16:40:12 PDT

This is a debug-only bug, so no reason to keep it closed.
Comment 5 Bill McCloskey (:billm) 2012-07-05 16:43:28 PDT
*** Bug 770712 has been marked as a duplicate of this bug. ***
Comment 6 Away, back on Nov 10 2012-07-06 07:49:56 PDT
Comment 7 Christian Holler (:decoder) 2013-01-14 08:36:42 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug767074.js.

Note You need to log in before you can comment on or make changes to this bug.