Closed
Bug 875806
Opened 11 years ago
Closed 11 years ago
Assertion failure: str, at ./dist/include/js/Value.h:640
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 875804
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, sec-high, testcase, Whiteboard: [dupe of 875804?] [jsbugmon:])
Attachments
(1 file, 1 obsolete file)
1.87 KB,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision df526497d949 (no options required): function gen2() { for (var {target: arguments} = getOwnPropertyNames = 0;;) yield; } for (var d in gen2()) {}
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
I filed this s-s because the original assertion was "Assertion failure: v->toGCThing()" which indicates a GC problem. Feel free to unhide if this is unrelated and/or harmless.
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 132801:4370f503d69f user: Brian Hackett date: Thu May 23 13:25:19 2013 -0600 summary: Bug 875276 - Don't profile types in scripts until they are compiled by baseline, r=jandem. This iteration took 325.983 seconds to run.
Reporter | ||
Comment 4•11 years ago
|
||
Attachment #753825 -
Attachment is obsolete: true
Reporter | ||
Comment 5•11 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #4) > Created attachment 755297 [details] > [crash-signature] Machine-readable crash signature A similar testcase showed these crash signatures when still unreduced. The opt-crash looked like this: Program received signal SIGSEGV, Segmentation fault. tenuredGetAllocKind (this=0x1e842f8) at ../gc/Heap.h:965 965 return arenaHeader()->getAllocKind(); (gdb) bt #0 tenuredGetAllocKind (this=0x1e842f8) at ../gc/Heap.h:965 #1 GetGCThingTraceKind (thing=0x1e842f8) at ../jsgcinlines.h:207 #2 MarkGCThingInternal (name=0x8629a33 "ion-gc-slot", thingp=0xffffbd40, trc=0x901bfc0) at js/src/gc/Marking.cpp:415 #3 js::gc::MarkGCThingRoot (trc=0x901bfc0, thingp=0xffffbd40, name=0x8629a33 "ion-gc-slot") at js/src/gc/Marking.cpp:422 #4 0x08357538 in MarkIonJSFrame (frame=..., trc=<optimized out>) at js/src/ion/IonFrames.cpp:737 #5 MarkIonActivation (activations=<synthetic pointer>, trc=0x901bfc0) at js/src/ion/IonFrames.cpp:947 #6 js::ion::MarkIonActivations (rt=0x901bea0, trc=0x901bfc0) at js/src/ion/IonFrames.cpp:971 #7 0x080d357a in js::gc::MarkRuntime (trc=0x901bfc0, useSavedRoots=false) at js/src/gc/RootMarking.cpp:745 #8 0x081928d7 in BeginMarkPhase (rt=0x901bea0) at js/src/jsgc.cpp:2809 #9 IncrementalCollectSlice (rt=0x901bea0, budget=<optimized out>, reason=JS::gcreason::DEBUG_GC, gckind=js::GC_NORMAL) at js/src/jsgc.cpp:4237 #10 0x08193bcd in GCCycle (rt=0x901bea0, incremental=<optimized out>, budget=0, gckind=js::GC_NORMAL, reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:4415 #11 0x08193fa1 in Collect (rt=0x901bea0, incremental=false, budget=0, gckind=js::GC_NORMAL, reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:4574 #12 0x08194d7c in Collect (reason=JS::gcreason::DEBUG_GC, gckind=js::GC_NORMAL, budget=0, incremental=false, rt=0x901bea0) at js/src/jsgc.cpp:4484 #13 js::gc::RunDebugGC (cx=0x902dfe8) at js/src/jsgc.cpp:4788 #14 0x080faa25 in NewGCThing<JSString, (js::AllowGC)1> (thingSize=16, kind=js::gc::FINALIZE_STRING, cx=0x902dfe8, heap=<optimized out>) at ../jsgcinlines.h:519 #15 js_NewGCString<(js::AllowGC)1> (cx=0x902dfe8) at ../jsgcinlines.h:569 #16 new_<(js::AllowGC)1> (length=17, right="472599", left="BUGNUMBER: ", cx=0x902dfe8) at js/src/vm/String-inl.h:181 #17 js::ConcatStrings<(js::AllowGC)1> (cx=0x902dfe8, left="BUGNUMBER: ", right="472599") at js/src/vm/String.cpp:340 #18 0xf7fcbce0 in ?? () (gdb) x /i $pc => 0x80a1245 <js::gc::MarkGCThingRoot(JSTracer*, void**, char const*)+53>: movzbl 0xc(%ecx),%ecx (gdb) info reg ecx ecx 0x1e84000 31997952 If this is unlikely to be the same bug, let me know so we can create another test reproducing this GC issue. Marking sec-high based on the crash.
Keywords: sec-high
Comment 6•11 years ago
|
||
Decoder said this might be a dupe of bug 875804.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][dupe of 875804?]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update][dupe of 875804?] → [dupe of 875804?] [jsbugmon:update,ignore]
Reporter | ||
Comment 7•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 75407626ba46).
Reporter | ||
Updated•11 years ago
|
Whiteboard: [dupe of 875804?] [jsbugmon:update,ignore] → [dupe of 875804?] [jsbugmon:bisectfix]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [dupe of 875804?] [jsbugmon:bisectfix] → [dupe of 875804?] [jsbugmon:]
Reporter | ||
Comment 8•11 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 133306:5f6f8a2600cb user: Brian Hackett date: Wed May 29 09:09:45 2013 -0600 summary: Bug 875804 - Always keep track of the use of custom iterators, r=jandem. This iteration took 322.452 seconds to run.
Reporter | ||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•