Closed
Bug 780027
Opened 13 years ago
Closed 13 years ago
Crash [@ js::gc::MarkInternal<JSString>] or [@ js::gc::MarkIdRootRange] or "Assertion failure: thing,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla17
People
(Reporter: gkw, Assigned: billm)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files)
x = y = [0,,0]
print(uneval)
for (z = 0; z < 89; ++z) {
x = x.concat(y)
}
schedulegc(8)
uneval(x)
asserts js debug shell on m-i changeset 1924fe55fb6e without any CLI arguments at Assertion failure: thing, and crashes js opt shell at js::gc::MarkInternal<JSString> with js::gc::MarkIdRootRange somewhere on the stack.
|
Reporter | |
Comment 1•13 years ago
|
||
autoBisect is running, but incremental GC stuff seem to be on the stack, cc'ing iGC folks.
|
Assignee | |
Updated•13 years ago
|
Assignee: general → wmccloskey
|
|
Reporter | |
Comment 2•13 years ago
|
||
|
|
Reporter | |
Comment 3•13 years ago
|
||
I won't have the regressing bug pointed at by autoBisect because in the range in comment 2, some changesets don't compile, so it's about the best one can have for the moment.
|
|
Assignee | |
Comment 4•13 years ago
|
||
We're asserting because we try to mark a NULL jsid. That happens because we aren't properly initializing an AutoIdVector after reserving space out of it.
Attachment #649894 -
Flags: review?(terrence)
|
|
Assignee | |
Comment 5•13 years ago
|
||
Not sensitive because it only affects JS_MORE_DETERMINISTIC builds.
Group: core-security
|
|
Reporter | |
Comment 6•13 years ago
|
||
This is likely fallout from bug 779393 which in turn likely was fallout from bug 776579.
Blocks: 779393
|
||
Updated•13 years ago
|
Attachment #649894 -
Flags: review?(terrence) → review+
|
|
Assignee | |
Comment 7•13 years ago
|
||
|
||
Comment 8•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
You need to log in
before you can comment on or make changes to this bug.
Description
•