875789 - Assertion failure: allocKind <= size_t(FINALIZE_LIMIT), at gc/Heap.h:456 or Crash [@ fetchNextFreeArena]

Status: RESOLVED DUPLICATE of bug 875748

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision df526497d949 (no options required):


var actual = '';
test();
function test(y, m, ... x)
  print(actual += test(1,2,3,4));

Comment 1

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 2

[Christian Holler (:decoder)]

Valgrind on 64 bit debug crash:


==5117== Invalid read of size 8
==5117==    at 0x48F056: js::gc::Chunk::allocateArena(JS::Zone*, js::gc::AllocKind) (jsgc.cpp:738)
==5117==    by 0x495217: void* js::gc::ArenaLists::refillFreeList<(js::AllowGC)0>(JSContext*, js::gc::AllocKind) (jsgc.cpp:1268)
==5117==    by 0x442641: js::NewDenseCopiedArray(JSContext*, unsigned int, JS::Value const*, JSObject*, js::NewObjectKind) (jsgcinlines.h:536)
==5117==    by 0x72F099: js::ion::InitRestParameter(JSContext*, unsigned int, JS::Value*, JS::Handle<JSObject*>, JS::Handle<JSObject*>) (VMFunctions.cpp:706)
==5117==    by 0x4028AAB: ???
==5117==    by 0x4: ???
==5117==    by 0x7FEFBCEC7: ???
==5117==  Address 0xfff880000000000c is not stack'd, malloc'd or (recently) free'd
==5117== 
==5117== 
==5117== Process terminating with default action of signal 11 (SIGSEGV)
==5117==  General Protection Fault


S-s due to possibly dangerous GC crash.

Comment 3

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   132612:b2216a10f95b
user:        Shu-yu Guo
date:        Tue May 21 23:52:45 2013 -0700
summary:     Bug 867471 - Part 2: Compile rest parameter in Ion for sequential execution. (r=djvj)

This iteration took 13.006 seconds to run.