Closed Bug 906229 Opened 11 years ago Closed 11 years ago

GenerationalGC: Crash [@ GetGCThingRuntime] or Assertion failure: (ptrBits & 0x7) == 0, at dist/include/js/Value.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, crash, testcase)

Crash Data

Attachments

(2 files)

stack
5.33 KB, text/plain
Details
stack for crash
6.33 KB, text/plain
Details
Attached file stack
function g() { return function(code) { eval(code) } } g() function f(code) { eval(code) } f("\ a1 = [];\ Object.defineProperty(a1, 3, {\ get: (function() {\ Uint8Array(a1)\ })\ });\ function f2() {\ for (let mgmmvd = 0; mgmmvd < 21; ++mgmmvd) {\ for (d in [objectEmulatingUndefined(),\ new Boolean(false),\ Boolean,\ new Boolean(false),\ objectEmulatingUndefined,\ new Boolean(false),\ objectEmulatingUndefined,\ new Boolean(false),\ new Boolean(),\ new Boolean,\ new Boolean(false),\ new Boolean,\ objectEmulatingUndefined(),\ objectEmulatingUndefined(),\ objectEmulatingUndefined()\ ]) {}\ }\ }\ Object.defineProperty(a1, 1, {\ get: (function() {\ for (j = 0; j < 72; ++j) {\ f2()\ }\ })\ });\ Array.prototype.pop.call(a1)\ ") ([{ fun: function(d, b) {} }, {}, { fun: function(d, b) {} }, { fun: function(d, b) {} }, { fun: function(d, b) {} }, ]); asserts js debug threadsafe shell (64-bit) on m-i changeset a63f47fcbe98 without any CLI arguments at Assertion failure: (ptrBits & 0x7) == 0, at dist/include/js/Value.h Variants crash at GetGCThingRuntime instead (which I'll comment shortly).
Flags: needinfo?(terrence)
Attached file stack for crash
x = []; Object.defineProperty(x, 3, { get: (function() { Uint8Array(x) }) }); Object.defineProperty(x, 1, { get: (function() { for (j = 0; j < 72; ++j) { for (let z = 0; z < 21; ++z) { for (d in [ objectEmulatingUndefined(), new Boolean(false), Boolean, new Boolean(false), objectEmulatingUndefined, new Boolean(false), objectEmulatingUndefined, new Boolean(false), new Boolean(), new Boolean, new Boolean(false), new Boolean, objectEmulatingUndefined(), objectEmulatingUndefined(), objectEmulatingUndefined() ]) {} } } }) }); Array.prototype.pop.call(x) Crash [@ GetGCThingRuntime]
Crash Signature: [@ GetGCThingRuntime]
I can reproduce this at the original changeset, but not at the current tip (28c308fbc854) so this must have been fixed by something in the meantime.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(terrence)
Resolution: --- → WORKSFORME
Gary, could you bisect the fix to see what the problem was?
Flags: needinfo?(gary)
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/32e6af3f6a05 user: Andy Wingo date: Fri Aug 23 11:07:10 2013 -0400 summary: Bug 904701 - Implement prototype madness for ES6 generators. r=bhackett, r=jorendorff Both testcases seemed to be fixed by bug 904701. Terrence, I suppose this makes sense?
Flags: needinfo?(terrence)
Flags: needinfo?(gary)
Flags: in-testsuite?
I don't get it, myself, as there is nothing generators-related in that test case.
Andy, did this maybe affect for-in loops somehow?
Flags: needinfo?(terrence)
Flags: needinfo?(wingo)
Maybe, I guess checking how to get an iterator from a value -- but I thought that was fixed by https://bugzilla.mozilla.org/show_bug.cgi?id=908920. Does this bug reproduce after the patch from that bug is applied?
Flags: needinfo?(wingo)
I see from comment 2 that the bug does not reproduce in tip. I think it's likely that the bug was introduced by my patch in bug 904701 and fixed by bug 908920.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: