Closed
Bug 832488
Opened 11 years ago
Closed 11 years ago
"ASSERTION: bad pop from per thread data" with verifyprebarriers, CC
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jruderman, Unassigned)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [fuzzblocker])
Attachments
(2 files)
Exposed by the fix for bug 829430. 1. Create a new profile (mkdir -p ~/px/a; firefox -profile ~/px/a) 2. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi 3. Load the testcase ###!!! ASSERTION: bad pop from per thread data: 'old == this', file /Users/jruderman/trees/mozilla-central/js/xpconnect/src/XPCCallContext.cpp, line 295 Followed by one of the following: Assertion failure: constraintsPurged(), at /Users/jruderman/trees/mozilla-central/js/src/jsinfer.h:695 Or a null deref [@ js::types::TypeSet::unknown]
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Comment 2•11 years ago
|
||
Should that first assertion be fatal?
|
|
Reporter | |
Updated•11 years ago
|
Flags: needinfo?(bobbyholley+bmo)
|
||
Comment 3•11 years ago
|
||
Yeah, it's hard to say totally because XPCCallContexts do this crazy unintuitive stack management, but but I _think_ this shouldn't happen. That is to say, I think this might be memory corruption. :-(
Flags: needinfo?(bobbyholley+bmo)
|
|
Reporter | |
Comment 4•11 years ago
|
||
I can reproduce with a normal debug build, but not an ASan debug build??
|
|
Reporter | |
Comment 5•11 years ago
|
||
Can also lead to: Assertion failure: cx->maybeRegs() == ®s_, at js/src/jscntxtinlines.h:125
|
|
Reporter | |
Comment 6•11 years ago
|
||
Or crashes in js::types::TypeSet::hasType
|
|
Reporter | |
Comment 7•11 years ago
|
||
Or: Assertion failure: hasfp(), at js/src/vm/Stack.h:1747
Whiteboard: [fuzzblocker]
|
|
Reporter | |
Comment 8•11 years ago
|
||
WFM
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•