Closed
Bug 716013
Opened 14 years ago
Closed 14 years ago
"Assertion failure: static_cast<Cell *>(thing)->isMarked(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla12
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: js-triage-needed)
Attachments
(2 files)
|
5.37 KB,
text/plain
|
Details | |
|
1.58 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
f = (function() {
for (x in [arguments, arguments]) yield(gczeal(4, function(){}))
})
for (i in f()) {}
asserts js debug shell on m-c changeset ae6e1f90b511 without any CLI arguments at Assertion failure: static_cast<Cell *>(thing)->isMarked(),
(not sure if this is totally correct)
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 81322:290b3a7329c7
user: Brian Hackett
date: Fri Nov 18 12:54:40 2011 -0800
summary: Move arguments object private data to a reserved slot, bug 703721.
s-s to play safe even though gczeal requires (4, function(){}).
|
Reporter | |
Comment 1•14 years ago
|
||
|
|
Reporter | |
Comment 2•14 years ago
|
||
Replacing gczeal(4, function(){}) with gczeal(2) does not reproduce, so opening up.
I tested this on 32-bit and 64-bit debug shells on Snow Leopard.
|
|
Reporter | |
Updated•14 years ago
|
Group: core-security
|
|
Reporter | |
Comment 3•14 years ago
|
||
Bill, is this related to work on incremental GC?
Yes. Do you have time to look at this, Brian? I suspect that bug 703721 is causing us to miss an incremental barrier.
|
Assignee | |
Comment 5•14 years ago
|
||
Yeah, I should be able to look at this later this week.
|
|
Assignee | |
Comment 6•14 years ago
|
||
Arguments and call objects trace through the generator object in any floating frame they are associated with, except when that floating frame has been copied to the stack and is live. Moving the stack frame out of the object's private data and to a PrivateValue reserved slot skipped the barrier.
Assignee: general → bhackett1024
Attachment #590195 -
Flags: review?(wmccloskey)
Comment on attachment 590195 [details] [diff] [review]
patch
Review of attachment 590195 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks Brian. I'm not entirely sure that we should forbid objects with trace hooks from being placed in the nursery, but we should fix this problem regardless.
Attachment #590195 -
Flags: review?(wmccloskey) → review+
Oh, I forgot, could you fix the typo in the comment ("aboug")?
|
|
Assignee | |
Comment 9•14 years ago
|
||
|
||
Comment 10•14 years ago
|
||
Target Milestone: --- → mozilla12
|
|
Reporter | |
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Comment 11•13 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug716013.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•