Closed
Bug 767074
Opened 13 years ago
Closed 13 years ago
Assertion failure: (ptrBits & 0x7) == 0, at jsval.h:731 or Crash [@ js::gc::ArenaHeader::allocated]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla16
People
(Reporter: decoder, Assigned: billm)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [js:inv:p1][jsbugmon:update][fuzzblocker])
Crash Data
Attachments
(1 file)
1.35 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision c83282305cb9 (options -m -n -a):
var callStack = new Array();
function exitFunc (funcName) {
var lastFunc = callStack.pop();
}
gczeal(4);
var sb = evalcx('');
sb.parent = this;
this.f = function name(outer) {
return (exitFunc ('test'));
}
evalcx('this.f = parent.f; var s = ""; for (i = 0; i < 10; ++i) s += f(true); s', sb);
S-s due to assertion known to be dangerous.
Assignee | ||
Updated•13 years ago
|
Assignee: general → wmccloskey
Updated•13 years ago
|
Whiteboard: js-triage-needed [jsbugmon:update] → [js:inv:p1][jsbugmon:update]
Reporter | ||
Comment 1•13 years ago
|
||
This now shows up as
Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:825
Updated•13 years ago
|
Whiteboard: [js:inv:p1][jsbugmon:update] → [js:inv:p1][jsbugmon:update][fuzzblocker]
Assignee | ||
Comment 2•13 years ago
|
||
This bug is similar to bug 753283. We run for a while in the methodjit and then we return to the interpreter to finish running the method. We return with the PC set to a SETLOCAL op. We immediately call the barrier verifier, which scans the VM stack. It expects the slot referenced by the SETLOCAL to be valid, but the SETLOCAL hasn't run yet, so it's uninitialized.
The patch just avoids running the verifier at the start of the Interpret when a rejoin is taking place.
Attachment #638559 -
Flags: review?(bhackett1024)
Updated•13 years ago
|
Attachment #638559 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 4•13 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/07823fa2edb0
This is a debug-only bug, so no reason to keep it closed.
Group: core-security
Target Milestone: --- → mozilla16
Comment 6•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 7•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug767074.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•