Closed
Bug 926448
Opened 11 years ago
Closed 11 years ago
[jsdbg2] Assertion failure: table or Assertion failure: object->runtimeFromMainThread()->isHeapBusy(), at vm/Debugger.cpp:385 or Crash [@ js_free] with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 942480
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
|
1.42 KB,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision 211337f7fb83 (run with --fuzzing-safe):
function attach(i) {
var dbg = Debugger();
}
for (var i = 0; i < 4000000; i++)
attach(i);
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ js_free]
Flags: needinfo?(jorendorff)
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
|
||
Comment 2•11 years ago
|
||
Can't reproduce on Mac. Tried both debug and debug-threadsafe builds of 211337f7fb83.
Flags: needinfo?(jorendorff)
|
|
||
Comment 3•11 years ago
|
||
Still cant' repro on Mac, even with kind words and encouragement from decoder on IRC. :) jimb, does it happen for you? Can you investigate a bit?
Flags: needinfo?(jimb)
|
|
Reporter | |
Comment 4•11 years ago
|
||
Note that I only tested this with --enable-optimize (even for debug builds). Not sure if it matters here.
|
||
Comment 5•11 years ago
|
||
This doesn't assert for me. But it does fail to trigger GC in the shell, and the process grows until the kernel kills it.
Flags: needinfo?(jimb)
|
|
||
Comment 6•11 years ago
|
||
While I wasn't able to reproduce the assertion, I filed bug 926678 and bug 926681 for failing to call GC.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 7•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/9c90bda44992 user: Brian Hackett date: Thu Aug 15 07:33:30 2013 -0700 summary: Bug 864220 - Use mprotect to trigger interrupts in Ion compiled code, r=luke,jandem. This iteration took 221.381 seconds to run.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 8•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 0204febd3146).
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
|
|
Reporter | |
Comment 9•11 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/521a84fc4f6f user: Jim Blandy date: Sun Dec 08 15:53:28 2013 -0800 summary: Bug 942480: Don't js_delete a freshly allocated js::Debugger, if we've stored it in the Debugger JSObject's private slot. r=shu This iteration took 359.795 seconds to run.
|
|
||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•