Closed Bug 889290 Opened 12 years ago Closed 12 years ago

Assertion failure: isObject(), at js/Value.h:1068 or Crash [@ TraceArrayBufferView]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox22 --- unaffected
firefox23 --- unaffected
firefox24 --- unaffected
firefox25 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected
b2g18-v1.0.0 --- unaffected
b2g18-v1.0.1 --- unaffected
b2g-v1.1hd --- unaffected

People

(Reporter: decoder, Unassigned)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
1.16 KB, text/plain
Details
The following testcase asserts on mozilla-central revision 4ffb23062b3b (run with --fuzzing-safe --ion-eager): gczeal(2,4); function asmModule(heap) { var g = newGlobal('new-compartment'); new g.Int8Array(heap); } asmModule(new ArrayBuffer(2048));
Not sure if this is actually s-s. Is it possible to get an Int8Array constructor from a different global without the newGlobal function?
Crash Signature: [@ TraceArrayBufferView]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
The assert reproduces with --no-ion --no-baseline --no-asmjs. I'd expect that this is a typed array GC bug.
Summary: OdinMonkey: Assertion failure: isObject(), at js/Value.h:1068 or Crash [@ TraceArrayBufferView] → Assertion failure: isObject(), at js/Value.h:1068 or Crash [@ TraceArrayBufferView]
Random note decoder/gary: it might be useful to have a gczeal() mode that triggers all the time, but only after the self-hosted code has finished loading; I think that is what makes this testcase take so long.
Marking high because it sounds like a GC bug. Adjust the rating as needed.
Keywords: sec-high
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/866dbb8830d1 user: Terrence Cole date: Mon Jun 24 17:33:27 2013 -0700 summary: Bug 886575 - Update TypedArray's data slot when doing fallback marking for minor GC; r=sfink This iteration took 325.986 seconds to run.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f2d3b5149d3a).
I suspect this was fixed by bug 891773, but let's recheck.
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,bisectfix,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 3433a021847b).
Whiteboard: [jsbugmon:update,bisectfix,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/9a908856c46c user: Terrence Cole date: Thu Jul 11 14:34:54 2013 -0700 summary: Bug 891773 - Check ArrayBufferView's back reference before marking; r=sfink This iteration took 345.087 seconds to run.
Yup, fixed by bug 891773.
Blocks: 886575
Status: NEW → RESOLVED
Closed: 12 years ago
status-b2g18: --- → unaffected
status-b2g18-v1.0.0: --- → unaffected
status-b2g18-v1.0.1: --- → unaffected
status-b2g-v1.1hd: --- → unaffected
status-firefox22: --- → unaffected
status-firefox23: --- → unaffected
status-firefox24: --- → unaffected
status-firefox25: --- → fixed
status-firefox-esr17: --- → unaffected
Keywords: regression
Resolution: --- → FIXED
Whiteboard: [jsbugmon:] → [jsbugmon:update]
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: