Last Comment Bug 713226 - Assertion failure: (static_cast<Cell *>(thing)->isMarked()), at jsgc.cpp:3556
: Assertion failure: (static_cast<Cell *>(thing)->isMarked()), at jsgc.cpp:3556
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: mozilla13
Assigned To: Bill McCloskey (:billm)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2011-12-23 07:40 PST by Christian Holler (:decoder)
Modified: 2013-01-14 07:40 PST (History)
8 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (2.02 KB, patch)
2012-01-30 15:30 PST, Bill McCloskey (:billm)
bhackett1024: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2011-12-23 07:40:20 PST
The following test asserts on larch branch (incremental GC) revision c5b90ea7e475 (options -m -n -a):

var optionNames = options().split(',');
  for (var i = 0; i < optionNames.length; i++)
    var optionName = optionNames[i];
function addDebug(g, id) {\
    var debuggerGlobal = newGlobal('new-compartment');\
    debuggerGlobal.debuggee = g;\ = id;\
    debuggerGlobal.print = function (s) { (g) += s; };\
    debuggerGlobal.eval('var dbg = new Debugger(debuggee);dbg.onDebuggerStatement = function () { print(id); debugger; };');\
    return debuggerGlobal;\
var base = newGlobal('new-compartment');\
var top = base;\
for (var i = 0; i < 8; i++ )\
    top = addDebug(top, i);\
Comment 1 User image Bill McCloskey (:billm) 2011-12-29 10:21:34 PST
I can't find this rev on the larch branch. Is it a typo?

I tried this testcase on different revisions. I found one where it asserts with the |started| assertion that was fixed in bug 713214. I couldn't get an isMarked assertion. Can you look at this one again, Christian?
Comment 2 User image Christian Holler (:decoder) 2012-01-02 06:11:44 PST
The revision is a mozilla-central revision so I checked this again and the assertion is indeed on mozilla-central. So the mistake I made is specifying the wrong branch. I confirmed this being on m-c revision d98fbf3cbd71.
Comment 3 User image Christian Holler (:decoder) 2012-01-28 03:13:57 PST
This also involves a debugger, Ccing jsdbg2 devs.
Comment 4 User image Bill McCloskey (:billm) 2012-01-30 14:41:54 PST
I'm pretty sure this is unrelated to the debugger. It has to do with TI and call objects.
Comment 5 User image Bill McCloskey (:billm) 2012-01-30 15:30:42 PST
Created attachment 592892 [details] [diff] [review]

I guess we don't have type information for JSOP_SETNAME opcodes.
Comment 6 User image Brian Hackett (:bhackett) 2012-01-30 15:50:23 PST
Comment on attachment 592892 [details] [diff] [review]

Review of attachment 592892 [details] [diff] [review]:

::: js/src/methodjit/Compiler.cpp
@@ +5635,4 @@
> +    /* Write barrier. We only have type information for JSOP_SETPROP. */
> +    if (cx->compartment->needsBarrier() &&
> +        (!types || op != JSOP_SETPROP || types->propertyNeedsBarrier(cx, id)))

This should test for op == JSOP_SETNAME, so it does not slow path JSOP_SETMETHOD.  (I think SETMETHOD will always hit propertyNeedsBarrier anyways, but that's a little subtle).
Comment 8 User image Phil Ringnalda (:philor) 2012-02-10 19:50:47 PST
Backed out in - one of the six in that push was crashing in js::gc::Mark<JSString>
Comment 9 User image Bill McCloskey (:billm) 2012-02-12 14:47:53 PST

After I pushed I noticed that I forgot to address Brian's review comment. When I made the obvious change, the test case started to fail again. I'll look into this now.
Comment 10 User image Bill McCloskey (:billm) 2012-02-12 14:58:13 PST

Never mind, it works now.
Comment 12 User image Christian Holler (:decoder) 2013-01-14 07:40:05 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug713226.js.

Note You need to log in before you can comment on or make changes to this bug.