Closed Bug 875806 Opened 11 years ago Closed 11 years ago

Assertion failure: str, at ./dist/include/js/Value.h:640

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 875804

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, sec-high, testcase, Whiteboard: [dupe of 875804?] [jsbugmon:])

Attachments

(1 file, 1 obsolete file)

The following testcase asserts on mozilla-central revision df526497d949 (no options required):


function gen2() {
 for (var {target: arguments} = getOwnPropertyNames = 0;;)
   yield;
}
for (var d in gen2()) {}
I filed this s-s because the original assertion was "Assertion failure: v->toGCThing()" which indicates a GC problem. Feel free to unhide if this is unrelated and/or harmless.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   132801:4370f503d69f
user:        Brian Hackett
date:        Thu May 23 13:25:19 2013 -0600
summary:     Bug 875276 - Don't profile types in scripts until they are compiled by baseline, r=jandem.

This iteration took 325.983 seconds to run.
Attachment #753825 - Attachment is obsolete: true
(In reply to Christian Holler (:decoder) from comment #4)
> Created attachment 755297 [details]
> [crash-signature] Machine-readable crash signature

A similar testcase showed these crash signatures when still unreduced. The opt-crash looked like this:


Program received signal SIGSEGV, Segmentation fault.
tenuredGetAllocKind (this=0x1e842f8) at ../gc/Heap.h:965
965         return arenaHeader()->getAllocKind();
(gdb) bt
#0  tenuredGetAllocKind (this=0x1e842f8) at ../gc/Heap.h:965
#1  GetGCThingTraceKind (thing=0x1e842f8) at ../jsgcinlines.h:207
#2  MarkGCThingInternal (name=0x8629a33 "ion-gc-slot", thingp=0xffffbd40, trc=0x901bfc0) at js/src/gc/Marking.cpp:415
#3  js::gc::MarkGCThingRoot (trc=0x901bfc0, thingp=0xffffbd40, name=0x8629a33 "ion-gc-slot") at js/src/gc/Marking.cpp:422
#4  0x08357538 in MarkIonJSFrame (frame=..., trc=<optimized out>) at js/src/ion/IonFrames.cpp:737
#5  MarkIonActivation (activations=<synthetic pointer>, trc=0x901bfc0) at js/src/ion/IonFrames.cpp:947
#6  js::ion::MarkIonActivations (rt=0x901bea0, trc=0x901bfc0) at js/src/ion/IonFrames.cpp:971
#7  0x080d357a in js::gc::MarkRuntime (trc=0x901bfc0, useSavedRoots=false) at js/src/gc/RootMarking.cpp:745
#8  0x081928d7 in BeginMarkPhase (rt=0x901bea0) at js/src/jsgc.cpp:2809
#9  IncrementalCollectSlice (rt=0x901bea0, budget=<optimized out>, reason=JS::gcreason::DEBUG_GC, gckind=js::GC_NORMAL) at js/src/jsgc.cpp:4237
#10 0x08193bcd in GCCycle (rt=0x901bea0, incremental=<optimized out>, budget=0, gckind=js::GC_NORMAL, reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:4415
#11 0x08193fa1 in Collect (rt=0x901bea0, incremental=false, budget=0, gckind=js::GC_NORMAL, reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:4574
#12 0x08194d7c in Collect (reason=JS::gcreason::DEBUG_GC, gckind=js::GC_NORMAL, budget=0, incremental=false, rt=0x901bea0) at js/src/jsgc.cpp:4484
#13 js::gc::RunDebugGC (cx=0x902dfe8) at js/src/jsgc.cpp:4788
#14 0x080faa25 in NewGCThing<JSString, (js::AllowGC)1> (thingSize=16, kind=js::gc::FINALIZE_STRING, cx=0x902dfe8, heap=<optimized out>) at ../jsgcinlines.h:519
#15 js_NewGCString<(js::AllowGC)1> (cx=0x902dfe8) at ../jsgcinlines.h:569
#16 new_<(js::AllowGC)1> (length=17, right="472599", left="BUGNUMBER: ", cx=0x902dfe8) at js/src/vm/String-inl.h:181
#17 js::ConcatStrings<(js::AllowGC)1> (cx=0x902dfe8, left="BUGNUMBER: ", right="472599") at js/src/vm/String.cpp:340
#18 0xf7fcbce0 in ?? ()
(gdb) x /i $pc
=> 0x80a1245 <js::gc::MarkGCThingRoot(JSTracer*, void**, char const*)+53>:      movzbl 0xc(%ecx),%ecx
(gdb) info reg ecx
ecx            0x1e84000        31997952


If this is unlikely to be the same bug, let me know so we can create another test reproducing this GC issue. Marking sec-high based on the crash.
Keywords: sec-high
Decoder said this might be a dupe of bug 875804.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][dupe of 875804?]
Whiteboard: [jsbugmon:update][dupe of 875804?] → [dupe of 875804?] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 75407626ba46).
Whiteboard: [dupe of 875804?] [jsbugmon:update,ignore] → [dupe of 875804?] [jsbugmon:bisectfix]
Whiteboard: [dupe of 875804?] [jsbugmon:bisectfix] → [dupe of 875804?] [jsbugmon:]
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   133306:5f6f8a2600cb
user:        Brian Hackett
date:        Wed May 29 09:09:45 2013 -0600
summary:     Bug 875804 - Always keep track of the use of custom iterators, r=jandem.

This iteration took 322.452 seconds to run.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: