Closed Bug 702915 Opened 13 years ago Closed 13 years ago

Assertion failure: static_cast<Cell *>(thing)->isMarked(), at jsgc.cpp:3556

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla11

People

(Reporter: decoder, Assigned: billm)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

Test case for shell (run with -n -m -a)
3.28 KB, application/javascript
Details
fix
3.67 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
The attached test asserts on mozilla-central revision d51bd1645a2f (options -m -n -a). Test might be 64 bit only. Stack (partial): #0 0x00007ffff7bcdb3b in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #1 0x00000000005c0dd2 in CrashInJS () at /srv/repos/mozilla-central/js/src/jsutil.cpp:95 #2 0x00000000005c0e2a in JS_Assert (s=0x78f990 "static_cast<Cell *>(thing)->isMarked()", file=0x78ed10 "/srv/repos/mozilla-central/js/src/jsgc.cpp", ln=3556) at /srv/repos/mozilla-central/js/src/jsutil.cpp:103 #3 0x00000000004afb87 in js::gc::EndVerifyBarriers (cx=0xb40ee0) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3556 #4 0x00000000004ae22b in AutoVerifyBarriers::AutoVerifyBarriers (this=0x7fffffffaa50, cx=0xb40ee0) at /srv/repos/mozilla-central/js/src/jsgc.cpp:2985 #5 0x00000000004ae2f5 in js_GC (cx=0xb40ee0, comp=0x0, gckind=GC_NORMAL, reason=js::gcstats::LASTDITCH) at /srv/repos/mozilla-central/js/src/jsgc.cpp:2988 #6 0x00000000004aba55 in js::gc::RunLastDitchGC (cx=0xb40ee0) at /srv/repos/mozilla-central/js/src/jsgc.cpp:1622 #7 0x00000000004aef6a in js::gc::RunDebugGC (cx=0xb40ee0) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3251 #8 0x0000000000570d03 in NewGCThing<js::Shape> (cx=0xb40ee0, kind=js::gc::FINALIZE_SHAPE, thingSize=64) at ../jsgcinlines.h:351 #9 0x00000000005706d9 in js_NewGCShape (cx=0xb40ee0) at ../jsgcinlines.h:408 #10 0x000000000056eab6 in js::PropertyTree::newShape (this=0xb41918, cx=0xb40ee0) at /srv/repos/mozilla-central/js/src/jspropertytree.cpp:70 #11 0x000000000056f1c7 in js::PropertyTree::getChild (this=0xb41918, cx=0xb40ee0, parent=0x7ffff6019c40, child=...) at /srv/repos/mozilla-central/js/src/jspropertytree.cpp:205 #12 0x0000000000580f8a in JSObject::getChildProperty (this=0x7ffff6007230, cx=0xb40ee0, parent=0x7ffff6019c40, child=...) at /srv/repos/mozilla-central/js/src/jsscope.cpp:451 #13 0x0000000000581e87 in JSObject::addPropertyInternal (this=0x7ffff6007230, cx=0xb40ee0, id=..., getter=0, setter=0, slot=9, attrs=1, flags=0, shortid=0, spp=0x7ffff60199f0) at /srv/repos/mozilla-central/js/src/jsscope.cpp:691 #14 0x0000000000581c63 in JSObject::addProperty (this=0x7ffff6007230, cx=0xb40ee0, id=..., getter=0, setter=0, slot=9, attrs=1, flags=0, shortid=0) at /srv/repos/mozilla-central/js/src/jsscope.cpp:656 #15 0x00000000004589e2 in JSObject::addDataProperty (this=0x7ffff6007230, cx=0xb40ee0, id=..., slot=9, attrs=1) at /srv/repos/mozilla-central/js/src/jsobj.h:1328 #16 0x000000000044e603 in JSObject::makeDenseArraySlow (this=0x7ffff6007230, cx=0xb40ee0) at /srv/repos/mozilla-central/js/src/jsarray.cpp:1414 #17 0x000000000044d511 in array_setGeneric (cx=0xb40ee0, obj=0x7ffff6007230, id=..., vp=0x7fffffffb010, strict=0) at /srv/repos/mozilla-central/js/src/jsarray.cpp:924 #18 0x0000000000529304 in JSObject::nonNativeSetProperty (this=0x7ffff6007230, cx=0xb40ee0, id=..., vp=0x7fffffffb010, strict=0) at /srv/repos/mozilla-central/js/src/jsobj.cpp:3679 #19 0x0000000000442f96 in JSObject::setGeneric (this=0x7ffff6007230, cx=0xb40ee0, id=..., vp=0x7fffffffb010, strict=0) at ../jsobjinlines.h:139 #20 0x000000000076cc26 in js::mjit::stubs::SetElem<0> (f=...) at /srv/repos/mozilla-central/js/src/methodjit/StubCalls.cpp:583 #21 0x000000000066dc84 in throwpoline_exit () at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:164 #22 0x000000000066df4c in js::mjit::EnterMethodJIT (cx=0xb40ee0, fp=0x7ffff63fb158, code=0x7ffff7f5b2c0, stackLimit=0x7ffff67db000, partial=true) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1064 As the test uses gczeal(4) and has js::gc::EndVerifyBarriers on the stack, I assume this is only related to incremental GC and not security critical for our current builds.
Attached patch fixSplinter Review
This bug turns out to be a false positive related to the fix for bug 701682. The barrier verifier checks a stricter condition than what is needed for incremental GC correctness. For incremental GC, we only require that pointers that have been overwritten are marked by the end of the GC. The verifier only checks mark bits set by the barriers--it doesn't take into account root scanning. In the array slowification code, we rely on an autorooter to keep the array slots marked. So this patch just adds autorooter marking to the verifier.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #574952 - Flags: review?(bhackett1024)
Attachment #574952 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/97654e2b4e73
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: