"Assertion failure: any" in AutoGCSession::AutoGCSession with verifybarriers

VERIFIED FIXED in Firefox 17

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: Jesse Ruderman, Assigned: billm)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla17
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox16- affected, firefox17 verified, firefox-esr10 unaffected)

Details

(Whiteboard: [js:p1])

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 643180 [details]
testcase

1. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi
2. Load the testcase in a debug build (from the command line?)

Assertion failure: any, at js/src/jsgc.cpp:3570

I can reproduce using https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx64-debug/1342515922/ but not using a local debug build :(
(Reporter)

Comment 1

5 years ago
Created attachment 643181 [details]
stack trace
(Assignee)

Updated

5 years ago
Assignee: general → wmccloskey
Whiteboard: [js:p1]
(Assignee)

Comment 2

5 years ago
Created attachment 644054 [details] [diff] [review]
patch

I forgot to call Prepare before the GC. Regression from bug 774104.

This API is kinda crappy. I'm going to work on simplifying it soon.
Attachment #644054 - Flags: review?
(Assignee)

Updated

5 years ago
Attachment #644054 - Flags: review? → review?(terrence)
Attachment #644054 - Flags: review?(terrence) → review+
(Assignee)

Comment 3

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/b3de7703f20b
Target Milestone: --- → mozilla17

Comment 4

5 years ago
https://hg.mozilla.org/mozilla-central/rev/b3de7703f20b
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox17: --- → fixed
Resolution: --- → FIXED
(In reply to Bill McCloskey (:billm) from comment #2)
> I forgot to call Prepare before the GC. Regression from bug 774104.

Based on that marking this tracking for Fx16
Blocks: 774104
status-firefox-esr10: --- → unaffected
status-firefox16: --- → affected
tracking-firefox16: --- → +
Keywords: regression

Comment 6

5 years ago
Can we get this nominated and landed on Aurora 16 prior to Monday's merge?
(Assignee)

Comment 7

5 years ago
This assertion is more of a sanity check. I don't think anything bad will happen if it's violated, so I don't think we need this on Aurora.
Group: core-security

Comment 8

5 years ago
(In reply to Bill McCloskey (:billm) from comment #7)
> This assertion is more of a sanity check. I don't think anything bad will
> happen if it's violated, so I don't think we need this on Aurora.

Thanks Bill - we'll untrack in that case.
tracking-firefox16: + → -
Keywords: verifyme
Can't reproduce the assertion with the latest beta debug build (http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012-11-04-mozilla-beta-debug/) but couldn't reproduce with a build from the report date either so i'll leave the verified status as is for the moment.
Jesse, can you see if this is still reproducible for you? QA is not able to reproduce on the reported build.
Keywords: verifyme
(Reporter)

Comment 11

5 years ago
Fine on trunk.  I tested with "verifyprebarriers", the closest equivalent to the "verifybarriers" that existed at the time of filing, and also with "verifypostbarriers".
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
Thanks Jesse.
status-firefox17: fixed → verified
You need to log in before you can comment on or make changes to this bug.