Closed
Bug 952780
Opened 12 years ago
Closed 12 years ago
Assertion failure: runtime->isAtomsZone(str->zone()) || str->zone() == obj->zone(), at gc/Marking.cpp or Assertion failure: (str)->zone()->isGCMarking() || (runtime)->isAtomsZone((str)->zone()), at gc/Marking.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla29
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])
Attachments
(2 files)
evaluate("x", ({
global: evalcx(''),
elementProperty: {},
}));
asserts js debug shell on m-c changeset 599100c4ebfe with -D at Assertion failure: runtime->isAtomsZone(str->zone()) || str->zone() == obj->zone(), at gc/Marking.cpp
My configure flags are:
CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --with-ccache --enable-threadsafe <other NSPR options>
s-s because gc is on the stack. Again related to bug 637572?
Flags: needinfo?(ejpbruel)
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Comment 1•12 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
| Reporter | ||
Comment 2•12 years ago
|
||
x = evalcx('')
schedulegc(x)
evaluate("function f(){}", ({
global: x,
elementProperty: objectEmulatingUndefined()
}))
gcslice(2285)
Here's another similar testcase asserting similarly (they were about to reduce to the same assert) at Assertion failure: (str)->zone()->isGCMarking() || (runtime)->isAtomsZone((str)->zone()), at gc/Marking.cpp - tested on m-c rev 25524dc5c99f.
| Reporter | ||
Updated•12 years ago
|
Summary: Assertion failure: runtime->isAtomsZone(str->zone()) || str->zone() == obj->zone(), at gc/Marking.cpp → Assertion failure: runtime->isAtomsZone(str->zone()) || str->zone() == obj->zone(), at gc/Marking.cpp or Assertion failure: (str)->zone()->isGCMarking() || (runtime)->isAtomsZone((str)->zone()), at gc/Marking.cpp
| Reporter | ||
Updated•12 years ago
|
Attachment #8355357 -
Attachment description: stack → stack for second testcase
Updated•12 years ago
|
Group: javascript-core-security
Comment 3•12 years ago
|
||
A number of fixes in that area have landed since Jan 2; I am not able to reproduce this any more. Gary, can you reproduce?
Flags: needinfo?(gary)
| Reporter | ||
Comment 4•12 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/3743ea445b81
user: Jim Blandy
date: Wed Jan 22 16:41:15 2014 -0800
summary: Bug 952885: When doing cross-global compilations in the shell, properly wrap CompileOptions members for the new global. r=njn
Both the testcases in comment 0 and comment 2 seem to be fixed by bug 952885.
Jim, are the branches likely affected as well?
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox29:
--- → fixed
status-firefox30:
--- → fixed
Flags: needinfo?(jimb)
Flags: needinfo?(gary)
Flags: needinfo?(ejpbruel)
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Comment 5•12 years ago
|
||
This was a shell-only crash; there was no way to elicit it in the browser, that I can see.
Flags: needinfo?(jimb)
Comment 6•12 years ago
|
||
Clearing s-s and security rating based on comment 5.
Group: core-security, javascript-core-security
Keywords: sec-high
Comment 7•12 years ago
|
||
Removing the keyword since I couldn't reproduce this locally with the 12/21 mozilla-central JS shell. Hopefully, an automated test will cover this soon enough.
Keywords: verifyme
Updated•12 years ago
|
Updated•12 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•