Closed
Bug 981462
Opened 11 years ago
Closed 11 years ago
GenerationalGC: Crash [@ js::ObjectImpl::compartment] or Opt-Crash [@ js::ArrayBufferObject::sweep]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla31
| Tracking | Status | |
|---|---|---|
| firefox31 | --- | verified |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(Keywords: crash, Whiteboard: [jsbugmon:update,bisect,ignore][qa-])
Crash Data
Attachments
(1 file)
|
2.46 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central built with --enable-exact-rooting --enable-gcgenerational, revision d01bf8596d3b (run with --fuzzing-safe):
gcPreserveCode();
function reportCompare (expected, actual, description) {
"', Actual value '" + toPrinted(actual) + "' ";
if (typeof document != "object" || !document.location.href.match(/jsreftest.html/)) {}
}
gczeal(9, 1)
try {
var StructType = TypedObject.StructType;
var uint8 = TypedObject.uint8;
function assertEqColor(c1, c2) assertEq(c1.b, c2.b);
var RgbColor = new StructType({r: uint8, g: uint8, b: uint8});
var Fade = new StructType({from: RgbColor, to: RgbColor});
var white = new RgbColor({r: 255, g: 255, b: 255});
var fade = new Fade({from: white, to: white});
assertEqColor(white, fade.from);
assertEqColor(white, fade.to);
reportCompare(true, true);
} catch(exc1) {}
|
Assignee | |
Comment 1•11 years ago
|
||
Reproduced in debug build with the following simplified test case:
gcPreserveCode();
var StructType = TypedObject.StructType;
var uint8 = TypedObject.uint8;
function assertEqColor(c1, c2) assertEq(c1.b, c2.b);
var RgbColor = new StructType({r: uint8, g: uint8, b: uint8});
var Fade = new StructType({from: RgbColor, to: RgbColor});
var white = new RgbColor({r: 255, g: 255, b: 255});
gczeal(9, 1);
var fade = new Fade({from: white, to: white});
assertEqColor(white, fade.from);
assertEqColor(white, fade.to);
|
|
Assignee | |
Comment 2•11 years ago
|
||
Looks like this was introduced by the fix for bug 978387.
Assignee: nobody → jcoppeard
|
|
Assignee | |
Comment 3•11 years ago
|
||
The fix is to save and restore the live array buffer list over minor GC if we are in the middle of an incremental collection.
This unfortunately adds another unhandlable OOM situation though.
Attachment #8393012 -
Flags: review?(terrence)
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
|
|
Reporter | |
Comment 4•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 082761b7bc54).
|
||
Comment 6•11 years ago
|
||
Comment on attachment 8393012 [details] [diff] [review]
bug981462-liveArrayBufferLists
Review of attachment 8393012 [details] [diff] [review]:
-----------------------------------------------------------------
Great find! r=me
Attachment #8393012 -
Flags: review?(terrence) → review+
|
|
Assignee | |
Comment 7•11 years ago
|
||
|
||
Comment 8•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
|
||
Comment 10•11 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #4)
> JSBugMon: The testcase found in this bug no longer reproduces (tried
> revision 082761b7bc54).
Changing testcase to testcase-wanted as per this comment.
status-firefox31:
--- → fixed
Keywords: testcase → testcase-wanted
Whiteboard: [jsbugmon:update,bisect,ignore] → [jsbugmon:update,bisect,ignore][qa-]
|
|
||
Comment 11•11 years ago
|
||
Assuming verified fixed based on 0 reports of this signature in the last week on crash-stats.
|
|
||
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•