Closed Bug 976697 Opened 6 years ago Closed 6 years ago
Assertion failure: obj->get
Private() == nullptr, at vm/Array Buffer Object .cpp
x = ArrayBuffer(); neuter(x); Uint32Array(x); gc(); asserts js debug shell on m-c changeset 1507f021ac93 without any CLI arguments at Assertion failure: obj->getPrivate() == nullptr, at vm/ArrayBufferObject.cpp This happens fairly often so setting as [fuzzblocker], and setting s-s because this involves gc. My configure flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-exact-rooting --with-ccache --enable-threadsafe <other NSPR options> autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/03355461606c user: Nicholas D. Matsakis date: Fri Feb 21 12:32:24 2014 -0500 summary: Bug 975456 -- Preserve invariant that views on a neutered buffer have a NULL data pointer r=shu
Didn't mean to reset the flag, assuming Gary wanted to add Niko.
Assignee: nobody → nmatsakis
Looks like fallout from bug 975456, I'll look into it.
Indeed, I didn't consider case where you instantiate a new typed array atop a neutered buffer. Sigh.
Comment on attachment 8382294 [details] [diff] [review] Bug976697.diff Review of attachment 8382294 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit-test/tests/TypedObject/bug976697.js @@ +1,2 @@ > +// Test that instantiating a typed array on top of a neutered buffer > +// doesn't trip any asserts. Public domain. Looks like the standard fancy way to do this is /* * Any copyright is dedicated to the Public Domain. * http://creativecommons.org/licenses/publicdomain/ */ Though a number of tests don't have a prefix at all. One or the other.
Attachment #8382294 - Flags: review?(sphink) → review+
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/bef8a33f2d8f for being in a push that broke jsreftests: https://tbpl.mozilla.org/php/getParsedLog.php?id=36020939&tree=Mozilla-Inbound
Sorry, the back out was in https://hg.mozilla.org/integration/mozilla-inbound/rev/4647aa53d286
Try run (green, as far as I can tell): https://tbpl.mozilla.org/?tree=Try&rev=a6d2715798c8
JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed on Fx30
You need to log in before you can comment on or make changes to this bug.