Closed Bug 706316 Opened 12 years ago Closed 12 years ago

Assertion failure: isGCThing(), at ../../jsapi.h:536

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla11

People

(Reporter: billm, Assigned: dmandelin)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(1 file)

Patch
6.99 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
+++ This bug was initially created as a clone of Bug #704795 +++

The following test asserts on mozilla-central revision 6f998cc964be (options -m -n -a):


gczeal(4);
function setprop() {
  var obj = { a:({   } )  };
  var obj2 = { b:-1, a:-1 };
  for (var i = 0; i < 20; (length(resultsY.global0, 42))) {
    obj2.b = obj.a = i;
  }
}
assertEq(setprop(), "19,-1,19");



Guessing this is only related to incremental GC due to gczeal(4), therefore not s-s.
On m-i tip (39b7b2f8e840), I get a different assertion:

Assertion failure: static_cast<Cell *>(thing)->isMarked(), at c:/sources/mozilla-inbound/js/src/jsgc.cpp:3530

For that assert, the test case can be reduced to:

gczeal(4);
function setprop() {
  for (var i = 0; i < 20; (length(resultsY.global0, 42))) {
  }
}
assertEq(setprop(), "19,-1,19");

and doesn't require any options to fail. It's asserting in a call to the verifier at the end of the exception-throwing path in the interpreter.
I still get the same behavior as comment 1 on the originally reported m-c revision. This is 32-bit on Win 7 if that could make a difference.
Attached patch PatchSplinter Review 
The problem, as Bill explained to me, was that the register sync that happens before the call was stepping on the register that holds obj. I solved it like this:

- Pin the obj register.
- Fix ImmutableSync not to step on pinned registers.
  - Primarily, I just had to make it not allocate pinned registers and not add them to the available set.
  - I also changed the sync code that initializes avail not to add pinned registers
  - I added an assert to protect against a pinned reg getting allocated.
Assignee: wmccloskey → dmandelin
Status: NEW → ASSIGNED
Attachment #579533 - Flags: review?(dvander)
Attachment #579533 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/3080aa9f675d
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug706316.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.