Closed
Bug 902227
Opened 12 years ago
Closed 12 years ago
GenerationalGC: Crash [@ tenuredZone]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 905654
People
(Reporter: gkw, Assigned: terrence)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files)
|
6.89 KB,
text/plain
|
Details | |
|
897 bytes,
patch
|
Details | Diff | Splinter Review |
ry {
Object.defineProperty(this, "g1", {
get: function() {
newGlobal({
sameZoneAs: {}
})
}
})
g1
schedulegc(3)()
} catch (e) {}
try {
for (schedulegc(5);;) {
g1
}
} catch (e) {}
crashes js opt shell (tested with a threadsafe deterministic 32-bit opt build) on m-c changeset 3ea0cb5a747e without any CLI arguments at tenuredZone when the shell is compiled with --enable-gcgenerational --enable-exact-rooting.
Flags: needinfo?(terrence)
|
Reporter | |
Comment 1•12 years ago
|
||
try {
Object.defineProperty(this, "g1", {
get: function() {
newGlobal({
sameZoneAs: {}
})
}
})
g1
schedulegc(3)()
} catch (e) {}
try {
for (schedulegc(5);;) {
g1
}
} catch (e) {}
This is the correct testcase (I was missing a letter at the start).
|
Assignee | |
Comment 2•12 years ago
|
||
Reproduced locally. Will look into it tomorrow.
Flags: needinfo?(terrence)
|
|
Reporter | |
Updated•12 years ago
|
Assignee: general → terrence
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•12 years ago
|
||
This is a pre-existing, slightly incorrect assertion. |release| wants to assert that the point we are releasing to is <= the top/allocation point. The BumpChunk stores the top pointer unaligned, but the LifoAlloc::Enum stores the traversal position aligned.
The test includes an infinite loop, so I am not attaching it to this patch.
Attachment #787247 -
Flags: review?(wmccloskey)
|
|
Assignee | |
Comment 4•12 years ago
|
||
Gary, I think this must be a different issue than the one you sent me in the mail. This can only be an issue on 32bit and the other issue was reproducing on 64bit as well.
|
|
Reporter | |
Comment 5•12 years ago
|
||
(In reply to Terrence Cole [:terrence] from comment #4)
> Gary, I think this must be a different issue than the one you sent me in the
> mail. This can only be an issue on 32bit and the other issue was reproducing
> on 64bit as well.
I'm sure I'll find more, hopefully including the one found before.
|
|
Assignee | |
Comment 6•12 years ago
|
||
Comment on attachment 787247 [details] [diff] [review]
fuzz_902227-v0.diff
Jon found this independently and fixed it in bug 905654.
Attachment #787247 -
Flags: review?(wmccloskey)
|
|
Assignee | |
Updated•12 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•