Closed Bug 785835 Opened 13 years ago Closed 13 years ago

Assertion failure: (ptrBits & 0x7) == 0, at ../../jsval.h:732 or Crash [@ js::gc::MarkInternal]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 785576

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,ignore])

The following testcase asserts on mozilla-central revision f077de66e52d (run with -m -n -a): function TestCase(n, d, e, a) { this.actual } function reportCompare(expected, actual, description) { testcase = new TestCase } function addThis() { actualvalues[UBound] = actual UBound++ } gczeal(9, 2); var UBound = 0; var actual = ''; var actualvalues = []; Number.prototype.magic = 42; actual = f(); addThis(); function f(j, k) { ([,,[, ]]).toSource(); addThis(); return [4][0]['magic'] } test(); function test() { for (var i = 0; i < 10; i++) reportCompare(actualvalues[i]) }
Crash trace: ==36362== Invalid read of size 8 ==36362== at 0x5ADA21: void js::gc::MarkInternal<JSString>(JSTracer*, JSString**) (Heap.h:1010) ==36362== by 0x5AF72B: js::gc::MarkValueInternal(JSTracer*, JS::Value*) (Marking.cpp:369) ==36362== by 0x5AF99E: js::gc::MarkValueRootRange(JSTracer*, unsigned long, JS::Value*, char const*) (Marking.cpp:426) ==36362== by 0x55F6D2: js::StackSpace::markAndClobberFrame(JSTracer*, js::StackFrame*, JS::Value*, unsigned char*) (Marking.h:149) ==36362== by 0x55F8D9: js::StackSpace::markAndClobber(JSTracer*) (Stack.cpp:703) ==36362== by 0x466475: _ZN2jsL11MarkRuntimeEP8JSTracerb.clone.320 (jsgc.cpp:2568) ==36362== by 0x46A68C: IncrementalCollectSlice(JSRuntime*, long, js::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:3320) ==36362== by 0x46C674: GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4392) ==36362== by 0x46D6EE: Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4500) ==36362== by 0x42837F: JSObject* js::gc::NewGCThing<JSObject>(JSContext*, js::gc::AllocKind, unsigned long) (jsgcinlines.h:440) ==36362== by 0x4A9652: JSObject::create(JSContext*, js::gc::AllocKind, JS::Handle<js::Shape*>, JS::Handle<js::types::TypeObject*>, js::HeapSlot*) (jsgcinlines.h:495) ==36362== by 0x4A993D: NewObject(JSContext*, js::Class*, js::types::TypeObject*, JSObject*, js::gc::AllocKind) (jsobj.cpp:2350) ==36362== Address 0x0 is not stack'd, malloc'd or (recently) free'd
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 103141:455ed4a415aa user: Eric Faust date: Wed Aug 22 22:05:21 2012 -0700 summary: Bug 781855 - Fix incorrectly shadowing 'own' properties in the case of prototypal setters. (r=bhackett)
Ccing bhackett and efaust per comment 2. Could again be a dup of one of the previously filed bugs, or something else uncovered by that patch.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 8af2ff9c6018).
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.