Closed Bug 770712 Opened 13 years ago Closed 13 years ago

Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:825 or Crash [@ js::gc::ArenaHeader::allocated]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 767074

People

(Reporter: decoder, Assigned: billm)

Details

(Keywords: assertion, sec-high, testcase, Whiteboard: js-triage-needed)

Crash Data

The following test asserts/crashes on mozilla-central revision b39f4007be5a (options -m -n -a): var callStack = new Array(); function exitFunc (funcName) { var lastFunc = callStack.pop(); } var appendToActual = function(s) { actual += s + ','; } Function.prototype.toString = function () f("h" ,1, exitFunc ('test')); gczeal(4); actual = ''; function f() { var a = arguments; appendToActual(a.callee); } f({}, 'a'); Debug build crashes when stepping over assertions: ==56976== Invalid read of size 1 ==56976== at 0x804C8F3: js::gc::ArenaHeader::allocated() const (Heap.h:467) ==56976== by 0x804C970: js::gc::ArenaHeader::getAllocKind() const (Heap.h:497) ==56976== by 0x806BD7A: js::gc::Cell::getAllocKind() const (Heap.h:935) ==56976== by 0x80FF19E: js::gc::GetGCThingTraceKind(void const*) (jsgcinlines.h:30) ==56976== by 0x836784F: js::gc::MarkKind(JSTracer*, void**, JSGCTraceKind) (Marking.cpp:256) ==56976== by 0x8367E99: js::gc::MarkValueInternal(JSTracer*, JS::Value*) (Marking.cpp:362) ==56976== by 0x8367FE0: js::gc::MarkValueRoot(JSTracer*, JS::Value*, char const*) (Marking.cpp:384) ==56976== by 0x82EB525: js::StackSpace::markFrameValues(JSTracer*, js::StackFrame*, JS::Value*, unsigned char*) (Stack.cpp:622) ==56976== by 0x82EB764: js::StackSpace::mark(JSTracer*) (Stack.cpp:677) ==56976== by 0x81150DE: js::MarkRuntime(JSTracer*, bool) (jsgc.cpp:2397) ==56976== by 0x811A33D: js::gc::StartVerifyBarriers(JSRuntime*) (jsgc.cpp:4498) ==56976== by 0x811AC0F: js::gc::MaybeVerifyBarriers(JSContext*, bool) (jsgc.cpp:4681) ==56976== Address 0xc is not stack'd, malloc'd or (recently) free'd On 64 bit this also asserts as: Assertion failure: (ptrBits & 0x7) == 0, at js/src/jsval.h:731 S-s because this is a GC-related assertion.
Keywords: sec-high
Assignee: general → wmccloskey
Group: core-security
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
A testcase for this bug was already added in the original bug (bug 767074).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.