Closed
Bug 957114
Opened 10 years ago
Closed 10 years ago
GenerationalGC: Assertion failure: addr % CellSize == 0, at gc/Heap.h:1075 or Crash [@ tenuredZoneFromAnyThread] with bad pointer
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 945275
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:ignore])
The following testcase asserts on mozilla-central built with --enable-exact-rooting --enable-gcgenerational, revision 325c74addeba (run with --fuzzing-safe --ion-eager --ion-compile-try-catch): gczeal(7,1); function TestCase(n) { this.name = ''; this.description = ''; this.expect = ''; this.actual = ''; this.reason = ''; this.passed = ''; } function test() new TestCase; test(); Object.defineProperty(Object.prototype, "name", {}); test();
Reporter | ||
Comment 1•10 years ago
|
||
The --ion-compile-try-catch isnt required, just forgot to remove it. Crash trace: Program received signal SIGSEGV, Segmentation fault. tenuredZoneFromAnyThread (this=0xbad0bad1) at js/src/gc/Heap.h:1034 1034 return arenaHeader()->zone; (gdb) bt 8 #0 tenuredZoneFromAnyThread (this=0xbad0bad1) at js/src/gc/Heap.h:1034 #1 zoneFromAnyThread (this=<optimized out>) at js/src/gc/Barrier.h:187 #2 zoneFromAnyThread (this=0x7ffff5800a20) at js/src/vm/ObjectImpl.h:1561 #3 shadowZoneFromAnyThread (this=0x7ffff5800a20) at js/src/gc/Barrier.h:189 #4 readBarrier (thing=0x7ffff5800a20) at js/src/gc/Barrier.h:197 #5 objectKey (this=<synthetic pointer>) at js/src/jsinferinlines.h:991 #6 js::types::TypeSet::hasType (this=0x14e8610, type=...) at js/src/jsinferinlines.h:1026 #7 0x0000000000697b10 in js::types::TypeMonitorResult (cx=0x1426e60, script=<optimized out>, pc=<optimized out>, rval=...) at js/src/jsinfer.cpp:3522 (More stack frames follow...)
Keywords: crash
Comment 2•10 years ago
|
||
Reproduced, requires --ion-parallel-compile=off.
Comment 3•10 years ago
|
||
From the crash signature (reference to swept nursery) and test case I'm guessing this is the same issue as bug 945275.
Comment 4•10 years ago
|
||
The patch in bug 945275 also fixes this.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•