Closed Bug 799178 Opened 12 years ago Closed 12 years ago

Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:846 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 797469

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, testcase, Whiteboard: [ion:p1] [jsbugmon:update,ignore])

The following testcase asserts on mozilla-central revision 70337fa2fe62 (no options required): var lfcode = new Array(); lfcode.push("gcparam(\"maxBytes\", gcparam(\"gcBytes\") + 1024);"); lfcode.push("if (!deepEqual(a[prop], b[prop]))"); while (true) { var file = lfcode.shift(); if (file == undefined) { break; } loadFile(file) } function loadFile(lfVarx) { eval(lfVarx); }
Although this is an out-of-memory condition, it still showed a crash and the CellSize assertion which is known to be security relevant. Not sure if this is IonMonkey-related, Ccing devs.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][ion:p1]
Whiteboard: [jsbugmon:update,bisect][ion:p1] → [ion:p1] [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 108900:ef321673c843 user: Eddy Bruel date: Tue Oct 02 14:56:26 2012 +0200 summary: Bug 795721 - Inherit FunctionBox from ObjectBox; r=njn This iteration took 7.058 seconds to run.
Likely a dup of bug 797469 then, waiting for that to land.
Depends on: 797469
Whiteboard: [ion:p1] [jsbugmon:update] → [ion:p1] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 5cca0408a73f).
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
No longer depends on: 797469
Group: core-security
You need to log in before you can comment on or make changes to this bug.