Closed
Bug 1152623
Opened 10 years ago
Closed 10 years ago
Assertion failure: allocated(), at gc/Heap.h involving --unboxed-objects
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla40
People
(Reporter: gkw, Assigned: jonco)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update][b2g-adv-main2.2-])
Attachments
(1 file)
5.83 KB,
text/plain
|
Details |
for each (let y in [
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1},
{x: 1}
]) {}
asserts js debug shell on m-c changeset 8f57f60ee58a with --fuzzing-safe --no-threads --ion-eager --unboxed-objects at Assertion failure: allocated(), at gc/Heap.h.
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 8f57f60ee58a
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20150408101233" and the hash "1dfe22ca4abe".
The "bad" changeset has the timestamp "20150408101933" and the hash "3ccd83f8e32b".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1dfe22ca4abe&tochange=3ccd83f8e32b
Locking s-s because potential regressor bug 1149526 is marked s-s.
Brian/Jon, is bug 1149526 a likely regressor? (not sure if it is related to GC or --unboxed-objects)
Flags: needinfo?(jcoppeard)
Flags: needinfo?(bhackett1024)
![]() |
Reporter | |
Comment 1•10 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x43e4f, 0x00000001007238b6 js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::gc::ArenaHeader::getAllocKind(this=<unavailable>) const + 150 at Heap.h:671, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x00000001007238b6 js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::gc::ArenaHeader::getAllocKind(this=<unavailable>) const + 150 at Heap.h:671
frame #1: 0x0000000100187e2e js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::CheckGCIsSweepingZone(js::gc::Cell*) [inlined] js::gc::TenuredCell::getAllocKind(this=0x0000000103875040) const + 62 at Heap.h:1380
frame #2: 0x0000000100187e1e js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::CheckGCIsSweepingZone(js::gc::Cell*) [inlined] js::ThingMayHaveDifferentRuntime(cell=0x0000000103875040) at Barrier.cpp:88
frame #3: 0x0000000100187e1e js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::CheckGCIsSweepingZone(cell=0x0000000103875040) + 46 at Barrier.cpp:102
frame #4: 0x0000000100354c4f js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::UnboxedLayout::~UnboxedLayout() [inlined] js::InternalGCMethods<js::jit::JitCode*>::checkGCIsSweeping(v=<unavailable>) + 63 at Barrier.h:315
(lldb)
![]() |
Reporter | |
Updated•10 years ago
|
Summary: Assertion failure: allocated(), at gc/Heap.h → Assertion failure: allocated(), at gc/Heap.h involving --unboxed-objects
Assignee | ||
Comment 2•10 years ago
|
||
Yes, this is because bug 1149526 is trying to make use of a JitCode object after it has been finalized. I'm going to change the way this works in the original bug.
Flags: needinfo?(jcoppeard)
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 3•10 years ago
|
||
Doesn't reproduce since the second patch in bug 1149526 landed.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
![]() |
Reporter | |
Comment 4•10 years ago
|
||
Marking FIXED by the second patch in bug 1149526. Thanks! :)
Resolution: WORKSFORME → FIXED
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Comment 5•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Comment 7•10 years ago
|
||
Do we need to do anything for other branches here?
status-firefox39:
--- → ?
status-firefox-esr31:
--- → unaffected
Assignee | ||
Comment 8•10 years ago
|
||
(In reply to Al Billings [:abillings] from comment #7)
> Do we need to do anything for other branches here?
Bug 1149526 is being uplifted basically everywhere.
Updated•10 years ago
|
status-firefox39:
? → ---
Updated•10 years ago
|
Assignee: nobody → jcoppeard
status-b2g-v2.0:
--- → fixed
status-b2g-v2.0M:
--- → fixed
status-b2g-v2.1:
--- → fixed
status-b2g-v2.1S:
--- → fixed
status-b2g-v2.2:
--- → fixed
status-b2g-master:
--- → fixed
status-firefox38:
--- → fixed
status-firefox38.0.5:
--- → fixed
status-firefox39:
--- → fixed
status-firefox-esr38:
--- → fixed
Target Milestone: --- → mozilla40
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][b2g-adv-main2.2-]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•