Closed Bug 806663 Opened 13 years ago Closed 12 years ago

Crash [@ js::gc::ArenaHeader::allocated] or "Assertion failure: !js::RootMethods<T>::poisoned(v)," involving gczeal(7)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Attachments

(1 file)

stack
9.29 KB, text/plain
Details
Attached file stack
gczeal(7) ''.split() asserts js debug shell on m-c changeset 324985f4c4ea with --enable-root-analysis compiled inside at Assertion failure: !js::RootMethods<T>::poisoned(v), when the testcase is pasted in the shell. No CLI arguments are needed. If the testcase is passed in as a CLI argument, the shell crashes at js::gc::ArenaHeader::allocated Setting s-s because iirc Steve mentioned that these bugs may be bad. autoBisect in progress.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 107152:6852b4928efa user: Bill McCloskey date: Fri Sep 14 17:19:53 2012 -0700 summary: Bug 790865 - Add more compartment assertions (r=terrence) Not sure if this is actually correct, the bug may have been latent prior to this checkin.
Blocks: 790865
Keywords: regression, sec-critical
(Assuming sec-critical pending further analysis)
Root analysis bugs are not yet s-s, until exact rooting is turned on. Ref bug 773746.
Group: core-security
Keywords: sec-critical
Blocks: 807132
Summary: Crash [@ js::gc::ArenaHeader::allocated] or "Assertion failure: !js::RootMethods<T>::poisoned(v)," → Crash [@ js::gc::ArenaHeader::allocated] or "Assertion failure: !js::RootMethods<T>::poisoned(v)," involving gczeal(7)
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Cannot process bug: Unable to reproduce bug on original revision.
(In reply to Christian Holler (:decoder) from comment #4) > Cannot process bug: Unable to reproduce bug on original revision. Does jsbugmon compile shells using --enable-root-analysis ? It is not yet turned on by default.
Flags: needinfo?(choller)
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #5) > Does jsbugmon compile shells using --enable-root-analysis ? It is not yet > turned on by default. No, as that would be harmful. You wouldn't be able to correctly verify issues that aren't related to root analysis since that analysis isn't stable yet.
Flags: needinfo?(choller)
> No, as that would be harmful. You wouldn't be able to correctly verify > issues that aren't related to root analysis since that analysis isn't stable > yet. What I mean is, if --enable-root-analysis is specified in comment 0, jsbugmon should test a shell that has that compiled in. Similarly for --enable-more-deterministic, likewise for other js CLI arguments e.g. --no-jm. Otherwise jsbugmon will report that this bug is unreproducible, as per comment 4 of this bug, assuming that the bug still exists and reproduces manually.
(in this case I'd rather jsbugmon not monitor this bug)
Whiteboard: [jsbugmon:]
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 112345:8fd8e9243788 user: Steve Fink date: Thu Nov 01 13:57:47 2012 -0700 summary: Bug 807458 - Eliminate a SkipRoot from NewDenseCopiedArray. r=terrence Probably fixed by bug 807458.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: