Closed Bug 793385 Opened 8 years ago Closed 8 years ago

Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:846 with OOM

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla18
Tracking Status
firefox17 --- unaffected
firefox18 --- fixed
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, sec-moderate, testcase, Whiteboard: [jsbugmon:update][adv-main18-])

Attachments

(1 file)

The following testcase asserts on mozilla-central revision e4757379b99a (run with --ion-eager):


gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
function f() {
    var inner4 = f("get"),
	x1,x2,x3,x4,x5,x11,x12,x13,x14,x15,x16,x17,x18,
        otherGlobalSameCompartment = newGlobal("same-compartment");
    eval('');
}
assertEq("aaa".replace(/a/g, f()), "poniesponiesponies");
Blocks: IonFuzz
Whiteboard: [jsbugmon:update]
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
This isn't an Ion bug but needs to be fixed anyway.
Summary: IonMonkey: Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:846 with OOM → Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:846 with OOM
Whiteboard: [jsbugmon:update][ion:p1:fx18] → [jsbugmon:update]
Attached patch fixSplinter Review
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #664223 - Flags: review?(wmccloskey)
Attachment #664223 - Flags: review?(wmccloskey) → review+
https://hg.mozilla.org/mozilla-central/rev/b01c3760fce6
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
How far back does this bug go? Do we need it in ESR10 or Firefox 17?
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
(In reply to Daniel Veditz [:dveditz] from comment #5)
> How far back does this bug go? Do we need it in ESR10 or Firefox 17?

This bug is only in Firefox 18.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main18-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.