780027 - Crash [@ js::gc::MarkInternal<JSString>] or [@ js::gc::MarkIdRootRange] or "Assertion failure: thing,"

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stacks

x = y = [0,,0]
print(uneval)
for (z = 0; z < 89; ++z) {
    x = x.concat(y)
}
schedulegc(8)
uneval(x)

asserts js debug shell on m-i changeset 1924fe55fb6e without any CLI arguments at Assertion failure: thing, and crashes js opt shell at js::gc::MarkInternal<JSString> with js::gc::MarkIdRootRange somewhere on the stack.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect is running, but incremental GC stuff seem to be on the stack, cc'ing iGC folks.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: not the smallest regression window

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I won't have the regressing bug pointed at by autoBisect because in the range in comment 2, some changesets don't compile, so it's about the best one can have for the moment.

Comment 4

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Attachment: patch

We're asserting because we try to mark a NULL jsid. That happens because we aren't properly initializing an AutoIdVector after reserving space out of it.

Comment 5

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Not sensitive because it only affects JS_MORE_DETERMINISTIC builds.

Comment 6

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This is likely fallout from bug 779393 which in turn likely was fallout from bug 776579.

Comment 7

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/475b2318e182

Comment 8

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/475b2318e182