Assertion failure: str, at ./dist/include/js/Value.h:640

RESOLVED DUPLICATE of bug 875804

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 875804
5 years ago
3 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, sec-high, testcase})

Trunk
x86_64
Linux
assertion, sec-high, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [dupe of 875804?] [jsbugmon:])

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

5 years ago
The following testcase asserts on mozilla-central revision df526497d949 (no options required):


function gen2() {
 for (var {target: arguments} = getOwnPropertyNames = 0;;)
   yield;
}
for (var d in gen2()) {}
(Reporter)

Comment 1

5 years ago
Created attachment 753825 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Comment 2

5 years ago
I filed this s-s because the original assertion was "Assertion failure: v->toGCThing()" which indicates a GC problem. Feel free to unhide if this is unrelated and/or harmless.
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 3

5 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   132801:4370f503d69f
user:        Brian Hackett
date:        Thu May 23 13:25:19 2013 -0600
summary:     Bug 875276 - Don't profile types in scripts until they are compiled by baseline, r=jandem.

This iteration took 325.983 seconds to run.
(Reporter)

Comment 4

5 years ago
Created attachment 755297 [details]
[crash-signature] Machine-readable crash signature
Attachment #753825 - Attachment is obsolete: true
(Reporter)

Comment 5

5 years ago
(In reply to Christian Holler (:decoder) from comment #4)
> Created attachment 755297 [details]
> [crash-signature] Machine-readable crash signature

A similar testcase showed these crash signatures when still unreduced. The opt-crash looked like this:


Program received signal SIGSEGV, Segmentation fault.
tenuredGetAllocKind (this=0x1e842f8) at ../gc/Heap.h:965
965         return arenaHeader()->getAllocKind();
(gdb) bt
#0  tenuredGetAllocKind (this=0x1e842f8) at ../gc/Heap.h:965
#1  GetGCThingTraceKind (thing=0x1e842f8) at ../jsgcinlines.h:207
#2  MarkGCThingInternal (name=0x8629a33 "ion-gc-slot", thingp=0xffffbd40, trc=0x901bfc0) at js/src/gc/Marking.cpp:415
#3  js::gc::MarkGCThingRoot (trc=0x901bfc0, thingp=0xffffbd40, name=0x8629a33 "ion-gc-slot") at js/src/gc/Marking.cpp:422
#4  0x08357538 in MarkIonJSFrame (frame=..., trc=<optimized out>) at js/src/ion/IonFrames.cpp:737
#5  MarkIonActivation (activations=<synthetic pointer>, trc=0x901bfc0) at js/src/ion/IonFrames.cpp:947
#6  js::ion::MarkIonActivations (rt=0x901bea0, trc=0x901bfc0) at js/src/ion/IonFrames.cpp:971
#7  0x080d357a in js::gc::MarkRuntime (trc=0x901bfc0, useSavedRoots=false) at js/src/gc/RootMarking.cpp:745
#8  0x081928d7 in BeginMarkPhase (rt=0x901bea0) at js/src/jsgc.cpp:2809
#9  IncrementalCollectSlice (rt=0x901bea0, budget=<optimized out>, reason=JS::gcreason::DEBUG_GC, gckind=js::GC_NORMAL) at js/src/jsgc.cpp:4237
#10 0x08193bcd in GCCycle (rt=0x901bea0, incremental=<optimized out>, budget=0, gckind=js::GC_NORMAL, reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:4415
#11 0x08193fa1 in Collect (rt=0x901bea0, incremental=false, budget=0, gckind=js::GC_NORMAL, reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:4574
#12 0x08194d7c in Collect (reason=JS::gcreason::DEBUG_GC, gckind=js::GC_NORMAL, budget=0, incremental=false, rt=0x901bea0) at js/src/jsgc.cpp:4484
#13 js::gc::RunDebugGC (cx=0x902dfe8) at js/src/jsgc.cpp:4788
#14 0x080faa25 in NewGCThing<JSString, (js::AllowGC)1> (thingSize=16, kind=js::gc::FINALIZE_STRING, cx=0x902dfe8, heap=<optimized out>) at ../jsgcinlines.h:519
#15 js_NewGCString<(js::AllowGC)1> (cx=0x902dfe8) at ../jsgcinlines.h:569
#16 new_<(js::AllowGC)1> (length=17, right="472599", left="BUGNUMBER: ", cx=0x902dfe8) at js/src/vm/String-inl.h:181
#17 js::ConcatStrings<(js::AllowGC)1> (cx=0x902dfe8, left="BUGNUMBER: ", right="472599") at js/src/vm/String.cpp:340
#18 0xf7fcbce0 in ?? ()
(gdb) x /i $pc
=> 0x80a1245 <js::gc::MarkGCThingRoot(JSTracer*, void**, char const*)+53>:      movzbl 0xc(%ecx),%ecx
(gdb) info reg ecx
ecx            0x1e84000        31997952


If this is unlikely to be the same bug, let me know so we can create another test reproducing this GC issue. Marking sec-high based on the crash.
Keywords: sec-high
Decoder said this might be a dupe of bug 875804.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][dupe of 875804?]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update][dupe of 875804?] → [dupe of 875804?] [jsbugmon:update,ignore]
(Reporter)

Comment 7

5 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 75407626ba46).
(Reporter)

Updated

5 years ago
Whiteboard: [dupe of 875804?] [jsbugmon:update,ignore] → [dupe of 875804?] [jsbugmon:bisectfix]
(Reporter)

Updated

5 years ago
Whiteboard: [dupe of 875804?] [jsbugmon:bisectfix] → [dupe of 875804?] [jsbugmon:]
(Reporter)

Comment 8

5 years ago
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   133306:5f6f8a2600cb
user:        Brian Hackett
date:        Wed May 29 09:09:45 2013 -0600
summary:     Bug 875804 - Always keep track of the use of custom iterators, r=jandem.

This iteration took 322.452 seconds to run.
(Reporter)

Updated

5 years ago
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 875804
Group: core-security
You need to log in before you can comment on or make changes to this bug.