Closed
Bug 793271
Opened 13 years ago
Closed 13 years ago
Assertion failure: allocKind <= size_t(FINALIZE_LIMIT)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 793257
People
(Reporter: bc, Unassigned)
References
()
Details
(Keywords: assertion, regression, sec-critical, Whiteboard: [sg:dupe 793257])
1. https://www.bulgarianfood.co.uk/shop/Mineralna_voda_i_Bezalkoholni_napitki/
2. Assertion failure: allocKind <= size_t(FINALIZE_LIMIT)
ss due to gc related foo.
0x000000010268e7a8 in js::gc::ArenaHeader::allocated (this=0xfffb800140769000) at Heap.h:483
483 JS_ASSERT(allocKind <= size_t(FINALIZE_LIMIT));
(gdb) bt
#0 0x000000010268e7a8 in js::gc::ArenaHeader::allocated (this=0xfffb800140769000) at Heap.h:483
#1 0x000000010268e85d in js::gc::ArenaHeader::getAllocKind (this=0xfffb800140769000) at Heap.h:513
#2 0x0000000103f988dd in js::gc::Cell::getAllocKind (this=0xfffb800140769840) at Heap.h:989
#3 0x000000010401ad78 in js::gc::GetGCThingTraceKind (thing=0xfffb800140769840) at jsgcinlines.h:30
#4 0x000000010434c40e in js::gc::MarkKind (trc=0x7fff5fbfc468, thingp=0x7fff5fbfc220, kind=JSTRACE_OBJECT) at /work/mozilla/builds/nightly/mozilla/js/src/gc/Marking.cpp:262
#5 0x000000010434ebc6 in js::CallTracer (trc=0x7fff5fbfc468, thing=0xfffb800140769840, kind=JSTRACE_OBJECT) at /work/mozilla/builds/nightly/mozilla/js/src/gc/Marking.cpp:1368
I see other crashes in automation with no signature, or unrelated signatures for Windows XP and Linux. I don't assert/crash Beta or Aurora on OSX but I'm not sure how reliable that statement is.
Reloading the url on Nightly after the initial crash in gdb I didn't immediately crash. I used Web Console to open a new window and in the new window used Web Console again to set up an interval that would reload the original url every 60 seconds. It took a while but I did crash again but I didn't have gdb invoked and didn't see an assertion message. Trying again I hit the assert right away. ymmv.
David, could this be related to the IonMonkey memory corruption issue?
I'm not sure. It's worth waiting and seeing.
|
||
Comment 3•13 years ago
|
||
Bob, given the cleanup that's happened it would be interesting to know if this still reproduces. Can you give it a try?
Keywords: sec-critical
|
Reporter | |
Comment 4•13 years ago
|
||
During my bisection I didn't see the assertion but did see the crashes. Accordingly (take it with a boat load of salt):
Found fix between 20120925004825-20120926015916
Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=08d435dedc7f&tochange=e64a78df7258
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/09/2012-09-25-mozilla-central-debug/firefox-18.0a1.en-US.debug-mac64.dmg
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/09/2012-09-26-mozilla-central-debug/firefox-18.0a1.en-US.debug-mac64.dmg
this includes bug 793257 at least.
|
||
Comment 5•13 years ago
|
||
So it doesn't reproduce on trunk? Sounds like a dupe to me. Thanks for doing the bisection.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
|
||
Updated•13 years ago
|
Group: core-security
Whiteboard: [sg:dupe 793257]
You need to log in
before you can comment on or make changes to this bug.
Description
•