Closed Bug 756243 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: kind == GetGCThingTraceKind(*thingp), at gc/Marking.cpp:231

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, sec-high, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file, 1 obsolete file)

better fix
(deleted), patch
nbp
: review+
Details | Diff | Splinter Review
The following testcase asserts on ionmonkey revision 14735b4dbccc (run with --ion -n -m): function enterFunc (funcName) funcName += "()"; var lfcode = new Array(); gczeal(2); evaluate("test();\ function test() {\ enterFunc ('test');\ (new test('(a(b(c)))(d(e(f)))\\\\2\\\\5'));\ }\ ");
Hardware: x86 → x86_64
Assignee: general → dvander
Status: NEW → ASSIGNED
This is some kind of horrible bug involving invalidation, gc - we're restoring a value to the interpreter stack which has been freed. Investigating.
Attached patch fix (obsolete) (deleted) — Splinter Review
Another simple off-by-N bug.
Attachment #624917 - Flags: review?(nicolas.b.pierron)
Attached patch better fix (deleted) — Splinter Review
Attachment #624917 - Attachment is obsolete: true
Attachment #624917 - Flags: review?(nicolas.b.pierron)
Attachment #624958 - Flags: review?(nicolas.b.pierron)
Comment on attachment 624958 [details] [diff] [review] better fix Review of attachment 624958 [details] [diff] [review]: ----------------------------------------------------------------- Good, would be better if you can define JSFunction *fun = maybeCalleeTokenToFunction(layout->calleeToken());
Attachment #624958 - Flags: review?(nicolas.b.pierron) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/8c54899dae82
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
status-firefox-esr10: --- → unaffected
Keywords: sec-high
Early ion gc issue, in-testsuite-.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: