Closed
Bug 893263
Opened 12 years ago
Closed 12 years ago
Assertion failure: (ptrBits & 0x7) == 0, at dist/include/js/Value.h or Assertion failure: p.found(), at dist/include/js/HashTable.h, sometimes crashing with js::gc::MarkValueRootRange or FindReferences on the stack
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])
Attachments
(5 files)
function x() {}
evaluate("findReferences({})", {
newContext: x
})
asserts js debug shell on m-c changeset 3433a021847b with --baseline-eager at Assertion failure: (ptrBits & 0x7) == 0, at dist/include/js/Value.h
I've got more testcases (reduced from the same large original testcase) coming up that assert differently and crash differently too.
Locking s-s because js::gc::MarkValueRootRange is on the stack.
|
Reporter | |
Comment 1•12 years ago
|
||
Run also with --baseline-eager:
Assertion failure: p.found(), at dist/include/js/HashTable.h
|
|
Reporter | |
Comment 2•12 years ago
|
||
I couldn't get the stack for this from gdb directly, I had to dump a corefile then inspect it for the stack.
|
|
Reporter | |
Comment 3•12 years ago
|
||
$ ./js-dbg-64-darwin-3433a021847b --baseline-eager testcase.js
js-dbg-64-darwin-3433a021847b(28540) malloc: *** error for object 0x101629c60: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
Abort trap: 6
|
|
Reporter | |
Comment 4•12 years ago
|
||
Also had to dump a corefile for this.
|
|
Reporter | |
Updated•12 years ago
|
Summary: Assertion failure: (ptrBits & 0x7) == 0, at dist/include/js/Value.h → Assertion failure: (ptrBits & 0x7) == 0, at dist/include/js/Value.h or Assertion failure: p.found(), at dist/include/js/HashTable.h, sometimes crashing with js::gc::MarkValueRootRange on the stack
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 5•12 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/b674f0e40c8e
user: Brian Hackett
date: Wed Jul 10 09:29:52 2013 -0600
summary: Bug 885758 - Add ExclusiveContext for use by threads with exclusive access to their compartment, r=billm.
This iteration took 340.644 seconds to run.
|
|
Reporter | |
Comment 6•12 years ago
|
||
Brian, is bug 885758 a likely regressor?
Blocks: 885758
Flags: needinfo?(bhackett1024)
|
|
Reporter | |
Updated•12 years ago
|
Summary: Assertion failure: (ptrBits & 0x7) == 0, at dist/include/js/Value.h or Assertion failure: p.found(), at dist/include/js/HashTable.h, sometimes crashing with js::gc::MarkValueRootRange on the stack → Assertion failure: (ptrBits & 0x7) == 0, at dist/include/js/Value.h or Assertion failure: p.found(), at dist/include/js/HashTable.h, sometimes crashing with js::gc::MarkValueRootRange or FindReferences on the stack
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
|
||
Comment 7•12 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #6)
> Brian, is bug 885758 a likely regressor?
No, it isn't. I looked at this and findReferences() has an AutoArrayRooter whose contents change while it is in the process of being traced, causing all sorts of corruption. findReferences() bugs are not s-s.
|
|
||
Updated•12 years ago
|
Group: core-security
Flags: needinfo?(bhackett1024)
|
|
Reporter | |
Comment 8•12 years ago
|
||
Hoping Terrence might be able to look at this, as per IRC.
Flags: needinfo?(terrence)
|
||
Comment 9•12 years ago
|
||
I'm fixing the rooting for findReferences in bug 890048. We should wait until that lands and see if this still reproducess then.
Flags: needinfo?(terrence)
|
|
||
Updated•12 years ago
|
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
|
|
||
Comment 10•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 52f9e8ffe111).
|
|
Reporter | |
Comment 11•12 years ago
|
||
Highly likely fixed by bug 890048. Let's double check.
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:bisectfix]
|
|
||
Updated•12 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:bisectfix] → [fuzzblocker] [jsbugmon:]
|
|
||
Comment 12•12 years ago
|
||
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/411082e7dc9c
user: Terrence Cole
date: Wed Jul 24 16:32:21 2013 -0700
summary: Bug 890048 - Fix rooting of the findReferences shell command; r=jimb,billm
This iteration took 346.581 seconds to run.
|
|
Reporter | |
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [fuzzblocker] [jsbugmon:] → [fuzzblocker] [jsbugmon:update]
You need to log in
before you can comment on or make changes to this bug.
Description
•