Last Comment Bug 713226 - Assertion failure: (static_cast<Cell *>(thing)->isMarked()), at jsgc.cpp:3556
: Assertion failure: (static_cast<Cell *>(thing)->isMarked()), at jsgc.cpp:3556
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla13
Assigned To: Bill McCloskey (:billm)
:
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-12-23 07:40 PST by Christian Holler (:decoder)
Modified: 2013-01-14 07:40 PST (History)
8 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (2.02 KB, patch)
2012-01-30 15:30 PST, Bill McCloskey (:billm)
bhackett1024: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2011-12-23 07:40:20 PST
The following test asserts on larch branch (incremental GC) revision c5b90ea7e475 (options -m -n -a):


gczeal(4);
var optionNames = options().split(',');
  for (var i = 0; i < optionNames.length; i++)
    var optionName = optionNames[i];
      options(optionName);
evaluate("\
function addDebug(g, id) {\
    var debuggerGlobal = newGlobal('new-compartment');\
    debuggerGlobal.debuggee = g;\
    debuggerGlobal.id = id;\
    debuggerGlobal.print = function (s) { (g) += s; };\
    debuggerGlobal.eval('var dbg = new Debugger(debuggee);dbg.onDebuggerStatement = function () { print(id); debugger; };');\
    return debuggerGlobal;\
}\
var base = newGlobal('new-compartment');\
var top = base;\
for (var i = 0; i < 8; i++ )\
    top = addDebug(top, i);\
base.eval('debugger;');\
");
Comment 1 Bill McCloskey (:billm) 2011-12-29 10:21:34 PST
I can't find this rev on the larch branch. Is it a typo?

I tried this testcase on different revisions. I found one where it asserts with the |started| assertion that was fixed in bug 713214. I couldn't get an isMarked assertion. Can you look at this one again, Christian?
Comment 2 Christian Holler (:decoder) 2012-01-02 06:11:44 PST
The revision is a mozilla-central revision so I checked this again and the assertion is indeed on mozilla-central. So the mistake I made is specifying the wrong branch. I confirmed this being on m-c revision d98fbf3cbd71.
Comment 3 Christian Holler (:decoder) 2012-01-28 03:13:57 PST
This also involves a debugger, Ccing jsdbg2 devs.
Comment 4 Bill McCloskey (:billm) 2012-01-30 14:41:54 PST
I'm pretty sure this is unrelated to the debugger. It has to do with TI and call objects.
Comment 5 Bill McCloskey (:billm) 2012-01-30 15:30:42 PST
Created attachment 592892 [details] [diff] [review]
patch

I guess we don't have type information for JSOP_SETNAME opcodes.
Comment 6 Brian Hackett (:bhackett) 2012-01-30 15:50:23 PST
Comment on attachment 592892 [details] [diff] [review]
patch

Review of attachment 592892 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/methodjit/Compiler.cpp
@@ +5635,4 @@
>  #ifdef JSGC_INCREMENTAL_MJ
> +    /* Write barrier. We only have type information for JSOP_SETPROP. */
> +    if (cx->compartment->needsBarrier() &&
> +        (!types || op != JSOP_SETPROP || types->propertyNeedsBarrier(cx, id)))

This should test for op == JSOP_SETNAME, so it does not slow path JSOP_SETMETHOD.  (I think SETMETHOD will always hit propertyNeedsBarrier anyways, but that's a little subtle).
Comment 8 Phil Ringnalda (:philor, back in August) 2012-02-10 19:50:47 PST
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/71f5bf4df2f6 - one of the six in that push was crashing in js::gc::Mark<JSString>
Comment 9 Bill McCloskey (:billm) 2012-02-12 14:47:53 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/3500272283ed

After I pushed I noticed that I forgot to address Brian's review comment. When I made the obvious change, the test case started to fail again. I'll look into this now.
Comment 10 Bill McCloskey (:billm) 2012-02-12 14:58:13 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/24bf37c95906

Never mind, it works now.
Comment 12 Christian Holler (:decoder) 2013-01-14 07:40:05 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug713226.js.

Note You need to log in before you can comment on or make changes to this bug.