bugzilla.mozilla.org will be intermittently unavailable on Saturday, March 24th, from 16:00 until 20:00 UTC.

Rooting Analysis: Assertion failure: !IsPoisonedValue(v), at ../gc/Barrier-inl.h:336




JavaScript Engine
5 years ago
4 years ago


(Reporter: decoder, Unassigned)


(Blocks: 1 bug, {assertion, testcase})

assertion, testcase
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [jsbugmon:ignore])



5 years ago
The following testcase asserts on mozilla-central built with --enable-root-analysis, revision 8e68f4d73ec4 (run with ):

var lfcode = new Array();
var otherGlobal = newGlobal('new-compartment');\n\
function test(str, arg, result) {\n\
    otherGlobal.str = str;\n\
    var c = print(\n\
    var got = fun(arg);\n\
    try {    } catch(e) {    }\n\
test('return let (x = {a: x}) x.a;');\n\
while (true) {
	var file = lfcode.shift(); if (file == undefined) { break; }
function loadFile(lfVarx) {
        if (lfVarx.substr(-3) == ".js") {
        } else if (!isNaN(lfVarx)) {
            lfRunTypeId = parseInt(lfVarx);
        } else {
            switch (lfRunTypeId) {
                default: eval(lfVarx); break;

Comment 1

5 years ago
Handle with care, this test is even whitespace sensitive (this is a debug+opt build). Debug trace:

Program received signal SIGSEGV, Segmentation fault.
set (this=<optimized out>, obj=<optimized out>, kind=<optimized out>, slot=<optimized out>, v=...) at ../gc/Barrier-inl.h:332
332         JS_ASSERT_IF(kind == Slot, &obj->getSlotRef(slot) == this);
(gdb) bt
#0  set (this=<optimized out>, obj=<optimized out>, kind=<optimized out>, slot=<optimized out>, v=...) at ../gc/Barrier-inl.h:332
#1  js::HeapSlot::set (this=0xf742c9f0, obj=(JSObject *) 0xf742c9d0 [object Array], kind=js::HeapSlot::Element, slot=0, v=...) at ../gc/Barrier-inl.h:330
#2  0x080aa13f in setDenseElement (val=..., idx=<optimized out>, this=<optimized out>) at ../jsobjinlines.h:449
#3  JSObject::setDenseElementMaybeConvertDouble (this=(JSObject * const) 0xf742c9d0 [object Array], idx=0, val=...) at ../jsobjinlines.h:458
#4  0x081ddb6f in DefinePropertyOrElement (cx=<optimized out>, obj=(JSObject * const) 0xf742c9d0 [object Array], id=$jsid(0), getter=
    0x806e1a0 <JS_PropertyStub(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>)>, setter=
    0x806e1b0 <JS_StrictPropertyStub(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, int, JS::MutableHandle<JS::Value>)>, attrs=1, flags=0, shortid=0, value=$jsval(-nan(0xfff87da423080)), callSetterAfterwards=
    true, setterIsStrict=false) at js/src/jsobj.cpp:3213
#5  0x081de7ed in js::baseops::SetPropertyHelper (cx=0x8948a78, obj=..., receiver=(JSObject * const) 0xf742c9d0 [object Array], id=$jsid(0), defineHow=0, vp=$jsval(-nan(0xfff87da423080)), strict=0)
    at js/src/jsobj.cpp:4176
#6  0x081dea39 in js::baseops::SetElementHelper (cx=0x8948a78, obj=(JSObject * const) 0xf742c9d0 [object Array], receiver=(JSObject * const) 0xf742c9d0 [object Array], index=0, defineHow=0, vp=
    $jsval(-nan(0xfff87da423080)), strict=0) at js/src/jsobj.cpp:4192
#7  0x08234ee6 in setElement (strict=0, vp=..., index=0, receiver=..., obj=(JSObject * const) 0xf742c9d0 [object Array], cx=<optimized out>) at ../jsobjinlines.h:106
#8  NodeBuilder::newArray (this=0xffffad88, elts=..., dst=$jsval(-nan(0xfff8200000000))) at js/src/jsreflect.cpp:654
#9  0x082447d4 in listNode (dst=..., pos=0x894f80c, elts=..., propName=0x879705c "body", type=js::AST_PROGRAM, this=0xffffad88) at js/src/jsreflect.cpp:423
#10 program (dst=$jsval(-nan(0xfff8200000000)), pos=0x894f80c, elts=..., this=0xffffad88) at js/src/jsreflect.cpp:726
#11 ASTSerializer::program (this=0xffffad80, pn=0x894f808, dst=$jsval(-nan(0xfff8200000000))) at js/src/jsreflect.cpp:1726
#12 0x08245a07 in reflect_parse (cx=0x8948a78, argc=1, vp=0xf7693188) at js/src/jsreflect.cpp:3045
#13 0x081a9f4f in CallJSNative (args=..., native=<optimized out>, cx=0x8948a78) at ../jscntxtinlines.h:327
#14 js::InvokeKernel (cx=0x8948a78, args=..., construct=js::NO_CONSTRUCT) at js/src/jsinterp.cpp:383
#15 0x08198120 in js::Interpret (cx=0x8948a78, entryFrame=0xf76930e0, interpMode=js::JSINTERP_NORMAL) at js/src/jsinterp.cpp:2361
#16 0x081a9bac in js::RunScript (cx=0x8948a78, fp=0xf76930e0) at js/src/jsinterp.cpp:340
#17 0x081abe18 in js::ExecuteKernel (cx=0x8948a78, script=0xf7425280, scopeChainArg=(JSObject &) @0xf742ca00 [object Call] delegate, thisv=..., type=js::EXECUTE_DIRECT_EVAL, evalInFrame=..., result=0xf76930b8)
    at js/src/jsinterp.cpp:530
#18 0x08409409 in EvalKernel (cx=0x8948a78, args=..., evalType=DIRECT_EVAL, caller=..., scopeobj=(JSObject * const) 0xf742ca00 [object Call] delegate) at js/src/builtin/Eval.cpp:305
#19 0x08409819 in js::DirectEval (cx=0x8948a78, args=...) at js/src/builtin/Eval.cpp:421
#20 0x0819fc13 in js::Interpret (cx=0x8948a78, entryFrame=0xf7693028, interpMode=js::JSINTERP_NORMAL) at js/src/jsinterp.cpp:2308
#21 0x081a9bac in js::RunScript (cx=0x8948a78, fp=0xf7693028) at js/src/jsinterp.cpp:340
#22 0x081ac560 in ExecuteKernel (result=0x0, evalInFrame=..., thisv=..., scopeChainArg=..., script=0xf7425100, cx=<optimized out>, type=<optimized out>) at js/src/jsinterp.cpp:530
#23 js::Execute (cx=0x8948a78, script=0xf7425100, scopeChainArg=(JSObject &) @0xf7421040 [object global] delegate, rval=0x0) at js/src/jsinterp.cpp:570
#24 0x0807f89b in JS_ExecuteScript (cx=0x8948a78, objArg=(JSObject *) 0xf7421040 [object global] delegate, scriptArg=0xf7425100, rval=0x0) at js/src/jsapi.cpp:5487
#25 0x08059b22 in Process (cx=0x8948a78, obj_=<optimized out>, filename=0xffffd177 "min.js", forceTTY=false) at js/src/shell/js.cpp:467
#26 0x0806150f in ProcessArgs (op=0xffffceb0, obj_=<optimized out>, cx=0x8948a78) at js/src/shell/js.cpp:5023
#27 Shell (cx=0x8948a78, op=0xffffceb0, envp=0xffffcfe0) at js/src/shell/js.cpp:5060
#28 0x0804b805 in main (argc=2, argv=0xffffcfd4, envp=0xffffcfe0) at js/src/shell/js.cpp:5283
Sorry, I totally missed this when you filed it. I was not able to reproduce on the given revision with:

CC="gcc -m32" CXX="g++ -m32" ./configure --enable-optimize --enable-debug --target=i686-linux-gnu --disable-threadsafe --enable-root-analysis --enable-gczeal --enable-valgrind --enable-more-deterministic --with-system-nspr

gcc (Gentoo 4.6.3 p1.13, pie-0.5.2) 4.6.3

I also tried a 64 bit build without success.
Because of the high false postive rate and difficulty of reproducing these bugs, we have switched our efforts to static analysis and zeal 7.
Last Resolved: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.