1152635 - Assertion failure: GCIsSweepingOnMainThread(rt, zone), at gc/Barrier.cpp

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

for (v of [Array].join()) {}

asserts js debug shell on m-c changeset 8f57f60ee58a with --fuzzing-safe --no-threads --unboxed-objects --no-ion at Assertion failure: GCIsSweepingOnMainThread(rt, zone), at gc/Barrier.cpp.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 8f57f60ee58a

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150408101233" and the hash "1dfe22ca4abe".
The "bad" changeset has the timestamp "20150408101933" and the hash "3ccd83f8e32b".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1dfe22ca4abe&tochange=3ccd83f8e32b

Locking s-s because potential regressor bug 1149526 is marked s-s.

Brian/Jon, is bug 1149526 a likely regressor? (not sure if it is related to GC or --unboxed-objects)

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x562eb, 0x0000000100187ed9 js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::CheckGCIsSweepingZone(cell=<unavailable>) + 233 at Barrier.cpp:109, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000100187ed9 js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::CheckGCIsSweepingZone(cell=<unavailable>) + 233 at Barrier.cpp:109
    frame #1: 0x0000000100354c87 js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::UnboxedLayout::~UnboxedLayout() [inlined] js::InternalGCMethods<js::Shape*>::checkGCIsSweeping(v=<unavailable>) + 119 at Barrier.h:315
    frame #2: 0x0000000100354c7a js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::UnboxedLayout::~UnboxedLayout() [inlined] js::BarrieredBase<js::Shape*>::checkGCIsSweeping() + 6 at Barrier.h:477
    frame #3: 0x0000000100354c74 js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::UnboxedLayout::~UnboxedLayout() at Barrier.h:545
    frame #4: 0x0000000100354c74 js-dbg-64-dm-nsprBuild-darwin-8f57f60ee58a`js::UnboxedLayout::~UnboxedLayout() [inlined] js::HeapPtr<js::Shape*>::~HeapPtr() at Barrier.h:545
(lldb)

Comment 2

[Jon Coppeard (:jonco)]

Attachment: bug1152635-heap-ptr-assertion

Looks like my assertions need to account for the fact that we can run the background sweeping on the main thread too.

Comment 3

[Jon Coppeard (:jonco)]

Comment on attachment 8590152 [details] [diff] [review]
bug1152635-heap-ptr-assertion

At this point I think the fix is to rewrite the original change.

Comment 4

[Jon Coppeard (:jonco)]

Doesn't reproduce since the second patch in bug 1149526 landed.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Marking FIXED by the second patch in bug 1149526.

Comment 6

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.