Last Comment Bug 767074 - Assertion failure: (ptrBits & 0x7) == 0, at jsval.h:731 or Crash [@ js::gc::ArenaHeader::allocated]
: Assertion failure: (ptrBits & 0x7) == 0, at jsval.h:731 or Crash [@ js::gc::A...
Status: RESOLVED FIXED
[js:inv:p1][jsbugmon:update][fuzzbloc...
: assertion, crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla16
Assigned To: [PTO to Dec5] Bill McCloskey (:billm)
:
: Jason Orendorff [:jorendorff]
Mentors:
: 767964 770712 (view as bug list)
Depends on:
Blocks: langfuzz 767964
  Show dependency treegraph
 
Reported: 2012-06-21 11:33 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:36 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (1.35 KB, patch)
2012-07-02 18:10 PDT, [PTO to Dec5] Bill McCloskey (:billm)
bhackett1024: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-06-21 11:33:03 PDT
The following test asserts on mozilla-central revision c83282305cb9 (options -m -n -a):


var callStack = new Array();
function exitFunc (funcName) {
  var lastFunc = callStack.pop();
}
gczeal(4);
var sb = evalcx('');
sb.parent = this;
this.f = function name(outer) {
        return (exitFunc ('test'));
}
evalcx('this.f = parent.f; var s = ""; for (i = 0; i < 10; ++i) s += f(true); s', sb);


S-s due to assertion known to be dangerous.
Comment 1 Christian Holler (:decoder) 2012-06-25 05:54:11 PDT
This now shows up as

Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:825
Comment 2 [PTO to Dec5] Bill McCloskey (:billm) 2012-07-02 18:10:56 PDT
Created attachment 638559 [details] [diff] [review]
patch

This bug is similar to bug 753283. We run for a while in the methodjit and then we return to the interpreter to finish running the method. We return with the PC set to a SETLOCAL op. We immediately call the barrier verifier, which scans the VM stack. It expects the slot referenced by the SETLOCAL to be valid, but the SETLOCAL hasn't run yet, so it's uninitialized.

The patch just avoids running the verifier at the start of the Interpret when a rejoin is taking place.
Comment 3 [PTO to Dec5] Bill McCloskey (:billm) 2012-07-02 18:11:08 PDT
*** Bug 767964 has been marked as a duplicate of this bug. ***
Comment 4 [PTO to Dec5] Bill McCloskey (:billm) 2012-07-05 16:40:12 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/07823fa2edb0

This is a debug-only bug, so no reason to keep it closed.
Comment 5 [PTO to Dec5] Bill McCloskey (:billm) 2012-07-05 16:43:28 PDT
*** Bug 770712 has been marked as a duplicate of this bug. ***
Comment 7 Christian Holler (:decoder) 2013-01-14 08:36:42 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug767074.js.

Note You need to log in before you can comment on or make changes to this bug.