Closed
Bug 830719
Opened 13 years ago
Closed 13 years ago
IonMonkey: Assertion failure: !InNoGCScope(), at ../../gc/Root.h:886
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 772820
People
(Reporter: decoder, Assigned: terrence)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:])
Attachments
(1 file)
|
5.77 KB,
patch
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision b72d2af170aa (run with --ion-eager):
evaluate("\
a = function() {};\
function assertArraysEqual(a, b) {\
assertEq(a[i], b[i]);\
}\
function check(b) {\
var a = deserialize(serialize(b));\
assertArraysEqual(a, b);\
}\
var ctors = [\
Int8Array,\
Uint8Array,\
Int16Array,\
Uint16Array,\
Int32Array,\
Uint32Array,\
Float32Array,\
Float64Array,\
Uint8ClampedArray];\
for (var i = 0; i < ctors.length; i++) {\
var ctor = ctors[i];\
b = ctor(0);\
check(b);\
b = ctor(100);\
check(b);\
}\
");
evaluate("assertArraysEqual(a[1], Int8Array([1, 2, 3]));");
|
Reporter | |
Comment 1•13 years ago
|
||
S-s due to GC-relatedness.
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 2•13 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 115711:9602f98a6a70
user: Terrence Cole
date: Wed Dec 05 14:21:44 2012 -0800
summary: Bug 819118 - Use accessor rather than direct script access; r=billm
This iteration took 112.987 seconds to run.
|
Assignee | |
Comment 4•13 years ago
|
||
Good find. Not sec-crit because we're not moving yet. I'll add it to our fuzz list too.
|
|
Assignee | |
Comment 5•13 years ago
|
||
It looks like we just need to pass a Handle through here.
Assignee: general → terrence
Status: NEW → ASSIGNED
Attachment #703100 -
Flags: review?(bhackett1024)
|
||
Comment 6•13 years ago
|
||
Comment on attachment 703100 [details] [diff] [review]
v0
Review of attachment 703100 [details] [diff] [review]:
-----------------------------------------------------------------
Well, going forward we shouldn't have any GC activity under the oracle functions, and I'd rather not add more roots that may need to be removed later. I filed bug 772820 a while back to fix this issue, just posted a patch there.
Attachment #703100 -
Flags: review?(bhackett1024)
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 7•13 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 02e12a80aef9).
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
|
|
Reporter | |
Comment 8•13 years ago
|
||
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: 119272:7b531a62b114
user: Brian Hackett
date: Fri Jan 18 09:23:28 2013 -0700
summary: Bug 772820 - Disallow GCs during script analysis or compilation, r=billm.
This iteration took 82.560 seconds to run.
|
|
||
Comment 9•13 years ago
|
||
Fixed by bug 772820 per comments 6 and 8.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•