Closed
Bug 830719
Opened 11 years ago
Closed 11 years ago
IonMonkey: Assertion failure: !InNoGCScope(), at ../../gc/Root.h:886
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 772820
People
(Reporter: decoder, Assigned: terrence)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:])
Attachments
(1 file)
5.77 KB,
patch
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision b72d2af170aa (run with --ion-eager): evaluate("\ a = function() {};\ function assertArraysEqual(a, b) {\ assertEq(a[i], b[i]);\ }\ function check(b) {\ var a = deserialize(serialize(b));\ assertArraysEqual(a, b);\ }\ var ctors = [\ Int8Array,\ Uint8Array,\ Int16Array,\ Uint16Array,\ Int32Array,\ Uint32Array,\ Float32Array,\ Float64Array,\ Uint8ClampedArray];\ for (var i = 0; i < ctors.length; i++) {\ var ctor = ctors[i];\ b = ctor(0);\ check(b);\ b = ctor(100);\ check(b);\ }\ "); evaluate("assertArraysEqual(a[1], Int8Array([1, 2, 3]));");
Reporter | ||
Comment 1•11 years ago
|
||
S-s due to GC-relatedness.
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 2•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 115711:9602f98a6a70 user: Terrence Cole date: Wed Dec 05 14:21:44 2012 -0800 summary: Bug 819118 - Use accessor rather than direct script access; r=billm This iteration took 112.987 seconds to run.
Assignee | ||
Comment 4•11 years ago
|
||
Good find. Not sec-crit because we're not moving yet. I'll add it to our fuzz list too.
Assignee | ||
Comment 5•11 years ago
|
||
It looks like we just need to pass a Handle through here.
Assignee: general → terrence
Status: NEW → ASSIGNED
Attachment #703100 -
Flags: review?(bhackett1024)
Comment 6•11 years ago
|
||
Comment on attachment 703100 [details] [diff] [review] v0 Review of attachment 703100 [details] [diff] [review]: ----------------------------------------------------------------- Well, going forward we shouldn't have any GC activity under the oracle functions, and I'd rather not add more roots that may need to be removed later. I filed bug 772820 a while back to fix this issue, just posted a patch there.
Attachment #703100 -
Flags: review?(bhackett1024)
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 7•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 02e12a80aef9).
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
Reporter | ||
Comment 8•11 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 119272:7b531a62b114 user: Brian Hackett date: Fri Jan 18 09:23:28 2013 -0700 summary: Bug 772820 - Disallow GCs during script analysis or compilation, r=billm. This iteration took 82.560 seconds to run.
Comment 9•11 years ago
|
||
Fixed by bug 772820 per comments 6 and 8.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•