Closed Bug 1152623 Opened 10 years ago Closed 10 years ago

Assertion failure: allocated(), at gc/Heap.h involving --unboxed-objects

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla40
Tracking Status
firefox38 --- fixed
firefox38.0.5 --- fixed
firefox39 --- fixed
firefox40 --- verified
firefox-esr31 --- unaffected
firefox-esr38 --- fixed
b2g-v2.0 --- fixed
b2g-v2.0M --- fixed
b2g-v2.1 --- fixed
b2g-v2.1S --- fixed
b2g-v2.2 --- fixed
b2g-master --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update][b2g-adv-main2.2-])

Attachments

(1 file)

for each (let y in [ {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1}, {x: 1} ]) {} asserts js debug shell on m-c changeset 8f57f60ee58a with --fuzzing-safe --no-threads --ion-eager --unboxed-objects at Assertion failure: allocated(), at gc/Heap.h. Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 8f57f60ee58a === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150408101233" and the hash "1dfe22ca4abe". The "bad" changeset has the timestamp "20150408101933" and the hash "3ccd83f8e32b". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1dfe22ca4abe&tochange=3ccd83f8e32b Locking s-s because potential regressor bug 1149526 is marked s-s. Brian/Jon, is bug 1149526 a likely regressor? (not sure if it is related to GC or --unboxed-objects)
Flags: needinfo?(jcoppeard)
Flags: needinfo?(bhackett1024)
Attached file stack
(lldb) bt 5 * thread #1: tid = 0x43e4f, 0x00000001007238b6 js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::gc::ArenaHeader::getAllocKind(this=<unavailable>) const + 150 at Heap.h:671, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001007238b6 js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::gc::ArenaHeader::getAllocKind(this=<unavailable>) const + 150 at Heap.h:671 frame #1: 0x0000000100187e2e js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::CheckGCIsSweepingZone(js::gc::Cell*) [inlined] js::gc::TenuredCell::getAllocKind(this=0x0000000103875040) const + 62 at Heap.h:1380 frame #2: 0x0000000100187e1e js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::CheckGCIsSweepingZone(js::gc::Cell*) [inlined] js::ThingMayHaveDifferentRuntime(cell=0x0000000103875040) at Barrier.cpp:88 frame #3: 0x0000000100187e1e js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::CheckGCIsSweepingZone(cell=0x0000000103875040) + 46 at Barrier.cpp:102 frame #4: 0x0000000100354c4f js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::UnboxedLayout::~UnboxedLayout() [inlined] js::InternalGCMethods<js::jit::JitCode*>::checkGCIsSweeping(v=<unavailable>) + 63 at Barrier.h:315 (lldb)
Summary: Assertion failure: allocated(), at gc/Heap.h → Assertion failure: allocated(), at gc/Heap.h involving --unboxed-objects
Yes, this is because bug 1149526 is trying to make use of a JitCode object after it has been finalized. I'm going to change the way this works in the original bug.
Flags: needinfo?(jcoppeard)
Flags: needinfo?(bhackett1024)
Doesn't reproduce since the second patch in bug 1149526 landed.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
Marking FIXED by the second patch in bug 1149526. Thanks! :)
Resolution: WORKSFORME → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Do we need to do anything for other branches here?
(In reply to Al Billings [:abillings] from comment #7) > Do we need to do anything for other branches here? Bug 1149526 is being uplifted basically everywhere.
Assignee: nobody → jcoppeard
Target Milestone: --- → mozilla40
Whiteboard: [jsbugmon:update] → [jsbugmon:update][b2g-adv-main2.2-]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: