Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 716013 - "Assertion failure: static_cast<Cell *>(thing)->isMarked(),"
: "Assertion failure: static_cast<Cell *>(thing)->isMarked(),"
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
: -- critical (vote)
: mozilla12
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz 703721
  Show dependency treegraph
Reported: 2012-01-06 12:29 PST by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-14 07:59 PST (History)
8 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stack (5.37 KB, text/plain)
2012-01-06 12:29 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details
patch (1.58 KB, patch)
2012-01-20 07:19 PST, Brian Hackett (:bhackett)
wmccloskey: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2012-01-06 12:29:40 PST
Created attachment 586516 [details]

f = (function() {
    for (x in [arguments, arguments]) yield(gczeal(4, function(){}))
for (i in f()) {}

asserts js debug shell on m-c changeset ae6e1f90b511 without any CLI arguments at Assertion failure: static_cast<Cell *>(thing)->isMarked(),

(not sure if this is totally correct)

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   81322:290b3a7329c7
user:        Brian Hackett
date:        Fri Nov 18 12:54:40 2011 -0800
summary:     Move arguments object private data to a reserved slot, bug 703721.

s-s to play safe even though gczeal requires (4, function(){}).
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2012-01-06 12:30:39 PST
See also bug 704258, bug 713226 and bug 714619.
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2012-01-06 13:00:04 PST
Replacing gczeal(4, function(){}) with gczeal(2) does not reproduce, so opening up.

I tested this on 32-bit and 64-bit debug shells on Snow Leopard.
Comment 3 Gary Kwong [:gkw] [:nth10sd] 2012-01-11 13:32:55 PST
Bill, is this related to work on incremental GC?
Comment 4 Bill McCloskey (:billm) 2012-01-11 15:02:25 PST
Yes. Do you have time to look at this, Brian? I suspect that bug 703721 is causing us to miss an incremental barrier.
Comment 5 Brian Hackett (:bhackett) 2012-01-11 15:03:45 PST
Yeah, I should be able to look at this later this week.
Comment 6 Brian Hackett (:bhackett) 2012-01-20 07:19:48 PST
Created attachment 590195 [details] [diff] [review]

Arguments and call objects trace through the generator object in any floating frame they are associated with, except when that floating frame has been copied to the stack and is live.  Moving the stack frame out of the object's private data and to a PrivateValue reserved slot skipped the barrier.
Comment 7 Bill McCloskey (:billm) 2012-01-23 12:48:31 PST
Comment on attachment 590195 [details] [diff] [review]

Review of attachment 590195 [details] [diff] [review]:

Thanks Brian. I'm not entirely sure that we should forbid objects with trace hooks from being placed in the nursery, but we should fix this problem regardless.
Comment 8 Bill McCloskey (:billm) 2012-01-23 12:49:21 PST
Oh, I forgot, could you fix the typo in the comment ("aboug")?
Comment 9 Brian Hackett (:bhackett) 2012-01-23 14:00:05 PST
Comment 10 Marco Bonardo [::mak] 2012-01-24 04:56:43 PST
Comment 11 Christian Holler (:decoder) 2013-01-14 07:59:01 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug716013.js.

Note You need to log in before you can comment on or make changes to this bug.