Closed Bug 957114 Opened 10 years ago Closed 10 years ago

GenerationalGC: Assertion failure: addr % CellSize == 0, at gc/Heap.h:1075 or Crash [@ tenuredZoneFromAnyThread] with bad pointer

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 945275

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:ignore])

The following testcase asserts on mozilla-central built with --enable-exact-rooting --enable-gcgenerational, revision 325c74addeba (run with --fuzzing-safe --ion-eager --ion-compile-try-catch):


gczeal(7,1);
function TestCase(n) {
  this.name = '';
  this.description = '';
  this.expect = '';
  this.actual = '';
  this.reason = '';
  this.passed = '';
}
function test() new TestCase;
test();
Object.defineProperty(Object.prototype, "name", {});
test();
The --ion-compile-try-catch isnt required, just forgot to remove it. Crash trace:


Program received signal SIGSEGV, Segmentation fault.
tenuredZoneFromAnyThread (this=0xbad0bad1) at js/src/gc/Heap.h:1034
1034        return arenaHeader()->zone;
(gdb) bt 8
#0  tenuredZoneFromAnyThread (this=0xbad0bad1) at js/src/gc/Heap.h:1034
#1  zoneFromAnyThread (this=<optimized out>) at js/src/gc/Barrier.h:187
#2  zoneFromAnyThread (this=0x7ffff5800a20) at js/src/vm/ObjectImpl.h:1561
#3  shadowZoneFromAnyThread (this=0x7ffff5800a20) at js/src/gc/Barrier.h:189
#4  readBarrier (thing=0x7ffff5800a20) at js/src/gc/Barrier.h:197
#5  objectKey (this=<synthetic pointer>) at js/src/jsinferinlines.h:991
#6  js::types::TypeSet::hasType (this=0x14e8610, type=...) at js/src/jsinferinlines.h:1026
#7  0x0000000000697b10 in js::types::TypeMonitorResult (cx=0x1426e60, script=<optimized out>, pc=<optimized out>, rval=...) at js/src/jsinfer.cpp:3522
(More stack frames follow...)
Keywords: crash
Reproduced, requires --ion-parallel-compile=off.
From the crash signature (reference to swept nursery) and test case I'm guessing this is the same issue as bug 945275.
The patch in bug 945275 also fixes this.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.