Closed
Bug 566145
Opened 15 years ago
Closed 15 years ago
"Assertion failure: slot < obj2->scope()->freeslot, at ../jsops.cpp" with gczeal
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: igor)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical?][critsmash:investigating] fixed-in-tracemonkey)
Attachments
(1 file, 1 obsolete file)
|
(deleted),
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
gczeal(2)
x = false;
for (let a in [String, 0]) {
x
function p() {
a
}
}
asserts js shell on TM tip without -j at Assertion failure: slot < obj2->scope()->freeslot, at ../jsops.cpp:2198
s-s because this involves gczeal.
|
Reporter | |
Comment 1•15 years ago
|
||
autoBisect shows this is probably related to bug 540706:
The first bad revision is:
changeset: 41905:a00078178698
user: Luke Wagner
date: Wed Mar 03 17:52:26 2010 -0800
summary: Bug 540706 - use contiguous buffer for stack frames and slots (r=waldo)
Blocks: 540706
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical?]
|
|
||
Comment 2•15 years ago
|
||
Awesomely short test case; thanks Gary!
This seems to be a bug related to bug 540805; bug 540706 just changes the order in which things are marked (and thus the order that shapes are regenerated) in such a way that the bug is exposed.
The problem is that emptyBlockScope's shape is not changed on a shape-regenerating GC, and thus some other scope can be given the same shape. This means that a block can get a false hit in the prop-cache for (in this case, the global object).
emptyArgumentsScope appears to have the same problem.
|
||
Comment 3•15 years ago
|
||
Igor, can you verify if this is related to bug 540805?
Assignee: general → igor
Whiteboard: [sg:critical?] → [sg:critical?][critsmash:investigating]
|
|
Reporter | |
Updated•15 years ago
|
blocking2.0: --- → ?
|
Assignee | |
Comment 4•15 years ago
|
||
(In reply to comment #3)
> Igor, can you verify if this is related to bug 540805?
Yes, this is indeed a regression from that bug.
|
|
Assignee | |
Comment 5•15 years ago
|
||
The patch reserves the shapes for empty arguments and block objects so they are never reused.
Attachment #446230 -
Flags: review?(jorendorff)
|
|
Assignee | |
Comment 6•15 years ago
|
||
The new patch removes unreleated changes and whitespace junk from v1.
Attachment #446230 -
Attachment is obsolete: true
Attachment #446231 -
Flags: review?(jorendorff)
Attachment #446230 -
Flags: review?(jorendorff)
|
||
Comment 7•15 years ago
|
||
Brute force, more than ok for now. I think shapes as generated uint32 (uint24) value capabitilies go away at the end of the patch queue for bug 558451.
/be
|
||
Updated•15 years ago
|
Attachment #446231 -
Flags: review?(jorendorff) → review+
|
|
Assignee | |
Comment 8•15 years ago
|
||
Whiteboard: [sg:critical?][critsmash:investigating] → [sg:critical?][critsmash:investigating] fixed-in-tracemonkey
|
||
Comment 9•15 years ago
|
||
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Updated•14 years ago
|
blocking2.0: ? → betaN+
|
||
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•