Closed Bug 785835 Opened 11 years ago Closed 11 years ago

Assertion failure: (ptrBits & 0x7) == 0, at ../../jsval.h:732 or Crash [@ js::gc::MarkInternal]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 785576

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,ignore]) 

The following testcase asserts on mozilla-central revision f077de66e52d (run with -m -n -a):


function TestCase(n, d, e, a) {
    this.actual
}
function reportCompare(expected, actual, description) {
    testcase = new TestCase
}
function addThis() {
    actualvalues[UBound] = actual
    UBound++
}
gczeal(9, 2);
var UBound = 0;
var actual = '';
var actualvalues = [];
Number.prototype.magic = 42;
actual = f(); 
addThis();
function f(j, k) {
    ([,,[, ]]).toSource();
    addThis();
    return [4][0]['magic']
}
test();
function test() {
  for (var i = 0; i < 10; i++)
    reportCompare(actualvalues[i])
}
Crash trace:

==36362== Invalid read of size 8
==36362==    at 0x5ADA21: void js::gc::MarkInternal<JSString>(JSTracer*, JSString**) (Heap.h:1010)
==36362==    by 0x5AF72B: js::gc::MarkValueInternal(JSTracer*, JS::Value*) (Marking.cpp:369)
==36362==    by 0x5AF99E: js::gc::MarkValueRootRange(JSTracer*, unsigned long, JS::Value*, char const*) (Marking.cpp:426)
==36362==    by 0x55F6D2: js::StackSpace::markAndClobberFrame(JSTracer*, js::StackFrame*, JS::Value*, unsigned char*) (Marking.h:149)
==36362==    by 0x55F8D9: js::StackSpace::markAndClobber(JSTracer*) (Stack.cpp:703)
==36362==    by 0x466475: _ZN2jsL11MarkRuntimeEP8JSTracerb.clone.320 (jsgc.cpp:2568)
==36362==    by 0x46A68C: IncrementalCollectSlice(JSRuntime*, long, js::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:3320)
==36362==    by 0x46C674: GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4392)
==36362==    by 0x46D6EE: Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4500)
==36362==    by 0x42837F: JSObject* js::gc::NewGCThing<JSObject>(JSContext*, js::gc::AllocKind, unsigned long) (jsgcinlines.h:440)
==36362==    by 0x4A9652: JSObject::create(JSContext*, js::gc::AllocKind, JS::Handle<js::Shape*>, JS::Handle<js::types::TypeObject*>, js::HeapSlot*) (jsgcinlines.h:495)
==36362==    by 0x4A993D: NewObject(JSContext*, js::Class*, js::types::TypeObject*, JSObject*, js::gc::AllocKind) (jsobj.cpp:2350)
==36362==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   103141:455ed4a415aa
user:        Eric Faust
date:        Wed Aug 22 22:05:21 2012 -0700
summary:     Bug 781855 - Fix incorrectly shadowing 'own' properties in the case of prototypal setters. (r=bhackett)
Ccing bhackett and efaust per comment 2. Could again be a dup of one of the previously filed bugs, or something else uncovered by that patch.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 8af2ff9c6018).
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.