Closed Bug 952780 Opened 12 years ago Closed 12 years ago

Assertion failure: runtime->isAtomsZone(str->zone()) || str->zone() == obj->zone(), at gc/Marking.cpp or Assertion failure: (str)->zone()->isGCMarking() || (runtime)->isAtomsZone((str)->zone()), at gc/Marking.cpp

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla29
Tracking Status
firefox29 --- fixed
firefox30 --- fixed

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])

Attachments

(2 files)

Attached file lldb stack
evaluate("x", ({ global: evalcx(''), elementProperty: {}, })); asserts js debug shell on m-c changeset 599100c4ebfe with -D at Assertion failure: runtime->isAtomsZone(str->zone()) || str->zone() == obj->zone(), at gc/Marking.cpp My configure flags are: CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --with-ccache --enable-threadsafe <other NSPR options> s-s because gc is on the stack. Again related to bug 637572?
Flags: needinfo?(ejpbruel)
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
x = evalcx('') schedulegc(x) evaluate("function f(){}", ({ global: x, elementProperty: objectEmulatingUndefined() })) gcslice(2285) Here's another similar testcase asserting similarly (they were about to reduce to the same assert) at Assertion failure: (str)->zone()->isGCMarking() || (runtime)->isAtomsZone((str)->zone()), at gc/Marking.cpp - tested on m-c rev 25524dc5c99f.
Summary: Assertion failure: runtime->isAtomsZone(str->zone()) || str->zone() == obj->zone(), at gc/Marking.cpp → Assertion failure: runtime->isAtomsZone(str->zone()) || str->zone() == obj->zone(), at gc/Marking.cpp or Assertion failure: (str)->zone()->isGCMarking() || (runtime)->isAtomsZone((str)->zone()), at gc/Marking.cpp
Attachment #8355357 - Attachment description: stack → stack for second testcase
Keywords: sec-high
Group: javascript-core-security
A number of fixes in that area have landed since Jan 2; I am not able to reproduce this any more. Gary, can you reproduce?
Flags: needinfo?(gary)
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/3743ea445b81 user: Jim Blandy date: Wed Jan 22 16:41:15 2014 -0800 summary: Bug 952885: When doing cross-global compilations in the shell, properly wrap CompileOptions members for the new global. r=njn Both the testcases in comment 0 and comment 2 seem to be fixed by bug 952885. Jim, are the branches likely affected as well?
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(jimb)
Flags: needinfo?(gary)
Flags: needinfo?(ejpbruel)
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
This was a shell-only crash; there was no way to elicit it in the browser, that I can see.
Flags: needinfo?(jimb)
Clearing s-s and security rating based on comment 5.
Group: core-security, javascript-core-security
Keywords: sec-high
Keywords: verifyme
Removing the keyword since I couldn't reproduce this locally with the 12/21 mozilla-central JS shell. Hopefully, an automated test will cover this soon enough.
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: