Closed
Bug 690933
Opened 13 years ago
Closed 13 years ago
Assertion failure: log2 < tl::BitSize<size_t>::result, at jstl.h:223 or crash with memory corruption
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla10
| Tracking | Status | |
|---|---|---|
| firefox8 | --- | unaffected |
| firefox9 | + | unaffected |
| firefox10 | + | fixed |
| status1.9.2 | --- | unaffected |
People
(Reporter: decoder, Assigned: cdleary)
References
Details
(4 keywords, Whiteboard: [sg:critical?][qa-] js-triage-needed)
Attachments
(1 file)
|
(deleted),
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The following test asserts/crashes on mozilla-central revision 1463dc6308a8 (options -m -n), tested on 32 bit:
var fe="vv";
for (i=0; i<24; i++)
fe += fe;
var fu=new Function(
fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe,
fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe,
"done"
);
Stepping through the assert causes glibc to terminate:
Program received signal SIGABRT, Aborted.
*** glibc detected *** /srv/repos/mozilla-central/js/src/debug32/js: malloc(): memory corruption: 0x084fbcc8 ***
======= Backtrace: =========
[...]
|
Reporter | |
Comment 1•13 years ago
|
||
Hm, the original test also asserts, it's
mozilla-central/js/src/tests/js1_5/Function/regress-338121-02.js
Isn't that test run with the normal test suite?
|
|
Reporter | |
Comment 2•13 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 77764:4d10127fd106
user: Chris Leary <cdleary@mozilla.com>
date: Thu Sep 22 13:22:30 2011 -0700
summary: Bug 684039: rewrite JS LIFO allocator, avoids thrashing. (r=luke)
|
||
Comment 3•13 years ago
|
||
If the bisected regression is correct this should affect Firefox 9 and not Firefox 8.
Assignee: general → cdleary
status-firefox10:
--- → affected
status-firefox8:
--- → unaffected
status-firefox9:
--- → affected
tracking-firefox10:
--- → +
tracking-firefox9:
--- → +
Keywords: regression
|
Assignee | |
Comment 4•13 years ago
|
||
I think this is only trunk (mozilla10, like on the bisected bug).
The tests were being skipped because of bug 644241 comment 34. (No good way to specify jstest runs as expected-to-OOM.)
Attachment #566031 -
Flags: review?(luke)
|
||
Updated•13 years ago
|
Attachment #566031 -
Flags: review?(luke) → review+
|
|
Assignee | |
Comment 5•13 years ago
|
||
Target Milestone: --- → mozilla10
|
||
Comment 6•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Can someone who is already set up to reproduce this bug please verify the fix?
Whiteboard: [sg:critical?] js-triage-needed → [sg:critical?][qa-] js-triage-needed
|
|
Reporter | |
Comment 8•13 years ago
|
||
Verified fixed on Firefox 10.
|
|
||
Comment 9•13 years ago
|
||
No shipping version had this bug, we can unhide it.
Group: core-security
status1.9.2:
--- → unaffected
|
|
Reporter | |
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•