Closed
Bug 783540
Opened 12 years ago
Closed 12 years ago
Assertion failure: tag >= 0, at jsgc.cpp:2433 or Crash [@ js::gc::MarkInternal]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla17
Tracking | Status | |
---|---|---|
firefox16 | --- | unaffected |
firefox17 | --- | verified |
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: luke)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update,ignore][adv-track-main17-])
Crash Data
Attachments
(1 file)
1.44 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following test crashes on mozilla-central revision 1ecca798b1fb (options -m -n -a):
gczeal(2, 2)
var stringA = "abcdef";
var stringB = "ghijk";
var stringC = "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz";
(stringA + stringB + stringC).replace('abc', 'AA')
Crash trace:
(Several errors before this that look similar)
==54999== Invalid read of size 4
==54999== at 0x81F2FFF: void js::gc::MarkInternal<JSString>(JSTracer*, JSString**) (Heap.h:1010)
==54999== by 0x81F4E3C: js::gc::MarkValueInternal(JSTracer*, JS::Value*) (Marking.cpp:365)
==54999== by 0x81F50E7: js::gc::MarkValueRootRange(JSTracer*, unsigned int, JS::Value*, char const*) (Marking.cpp:421)
==54999== by 0x80A642D: JS::AutoGCRooter::trace(JSTracer*) (jsgc.cpp:2435)
==54999== by 0x80A6AC3: JS::AutoGCRooter::traceAll(JSTracer*) (jsgc.cpp:2442)
==54999== by 0x80A9776: _ZN2jsL11MarkRuntimeEP8JSTracerb.clone.304 (jsgc.cpp:2491)
==54999== by 0x80AE233: IncrementalCollectSlice(JSRuntime*, long long, js::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:3283)
==54999== by 0x80AF2C9: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4131)
==54999== by 0x80B04C6: Collect(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4239)
==54999== by 0x80B0755: js::gc::RunDebugGC(JSContext*) (jsgc.cpp:4536)
==54999== by 0x8132198: _ZN2js2gc10NewGCThingI13JSShortStringEEPT_P9JSContextNS0_9AllocKindEj.clone.337 (jsgcinlines.h:446)
==54999== by 0x8134758: js_NewDependentString(JSContext*, JSString*, unsigned int, unsigned int) (jsgcinlines.h:520)
==54999== Address 0x4c45c000 is not stack'd, malloc'd or (recently) free'd
Dangerous crash => s-s.
Assignee | ||
Comment 1•12 years ago
|
||
STRINGVECTOR is just missing for the switch, it seems.
Attachment #652781 -
Flags: review?(bhackett1024)
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox16:
--- → unaffected
status-firefox17:
--- → affected
Updated•12 years ago
|
Attachment #652781 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 2•12 years ago
|
||
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 3•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f9a8fdb08193).
Comment 4•12 years ago
|
||
Assignee: general → luke
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 5•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-track-main17-]
Updated•12 years ago
|
Group: core-security
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•