Closed
Bug 779328
Opened 12 years ago
Closed 12 years ago
IonMonkey: "Assertion failure: !aheader->hasFreeThings(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox17 | --- | unaffected |
firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: dvander)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker][ion:p1:fx18])
Attachments
(3 files, 1 obsolete file)
The upcoming attached testcase asserts js debug shell on IonMonkey changeset b46621aba6fd without any CLI arguments at Assertion failure: !aheader->hasFreeThings(), Setting s-s because gc is on the stack.
Reporter | ||
Comment 1•12 years ago
|
||
Reporter | ||
Comment 2•12 years ago
|
||
Attachment #647717 -
Attachment is obsolete: true
Reporter | ||
Comment 3•12 years ago
|
||
Not-so-small regression window: http://hg.mozilla.org/projects/ionmonkey/pushloghtml?fromchange=23a84dbb258f&tochange=b46621aba6fd
Comment 4•12 years ago
|
||
Seeing this as well, but tests a hard to reduce. I'll try to come up with a smaller one, but I don't think it's going to work well.
Reporter | ||
Comment 5•12 years ago
|
||
dvander has mentioned that this seems to be the same cause as an intermittent orange as well - also setting [fuzzblocker] as well.
OS: Windows 7 → All
Hardware: x86 → All
Whiteboard: [fuzzblocker]
Reporter | ||
Comment 6•12 years ago
|
||
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #3) > Not-so-small regression window: > > http://hg.mozilla.org/projects/ionmonkey/ > pushloghtml?fromchange=23a84dbb258f&tochange=b46621aba6fd Here's a slightly smaller regression window: http://hg.mozilla.org/projects/ionmonkey/pushloghtml?fromchange=23a84dbb258f&tochange=08187a7ea897
Assignee | ||
Updated•12 years ago
|
Whiteboard: [fuzzblocker] → [fuzzblocker][ion:p1:fx18]
Assignee | ||
Comment 7•12 years ago
|
||
I have a fix for this but I don't understand why it works. It seems like it might be unsafe to call AutoCopyFreelistsToArenas from ResetIncrementalGC, if ResetIncrementalGC was not called from BudgetIncremental. Need to talk to Bill tomorrow.
Assignee | ||
Comment 8•12 years ago
|
||
Bill explained the problem and suggested this fix. The problem is that the code right under the current placement of AutoCopyFreeListToArenas can GC, which can nest instances of this RAII object, which is not legal. The fix is to just move it down a bit.
Attachment #648064 -
Flags: review?(wmccloskey) → review+
Assignee | ||
Comment 9•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/6d6f1ce4c9f9
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Comment 10•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox17:
--- → unaffected
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•