The default bug view has changed. See this FAQ.

"Assertion failure: static_cast<Cell *>(thing)->isMarked(),"

RESOLVED FIXED in mozilla12

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: gkw, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla12
x86
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed)

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 586516 [details]
stack

f = (function() {
    for (x in [arguments, arguments]) yield(gczeal(4, function(){}))
})
for (i in f()) {}

asserts js debug shell on m-c changeset ae6e1f90b511 without any CLI arguments at Assertion failure: static_cast<Cell *>(thing)->isMarked(),

(not sure if this is totally correct)

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   81322:290b3a7329c7
user:        Brian Hackett
date:        Fri Nov 18 12:54:40 2011 -0800
summary:     Move arguments object private data to a reserved slot, bug 703721.

s-s to play safe even though gczeal requires (4, function(){}).
(Reporter)

Comment 1

5 years ago
See also bug 704258, bug 713226 and bug 714619.
(Reporter)

Comment 2

5 years ago
Replacing gczeal(4, function(){}) with gczeal(2) does not reproduce, so opening up.

I tested this on 32-bit and 64-bit debug shells on Snow Leopard.
(Reporter)

Updated

5 years ago
Group: core-security
(Reporter)

Comment 3

5 years ago
Bill, is this related to work on incremental GC?
Yes. Do you have time to look at this, Brian? I suspect that bug 703721 is causing us to miss an incremental barrier.
Yeah, I should be able to look at this later this week.
Created attachment 590195 [details] [diff] [review]
patch

Arguments and call objects trace through the generator object in any floating frame they are associated with, except when that floating frame has been copied to the stack and is live.  Moving the stack frame out of the object's private data and to a PrivateValue reserved slot skipped the barrier.
Assignee: general → bhackett1024
Attachment #590195 - Flags: review?(wmccloskey)
Comment on attachment 590195 [details] [diff] [review]
patch

Review of attachment 590195 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks Brian. I'm not entirely sure that we should forbid objects with trace hooks from being placed in the nursery, but we should fix this problem regardless.
Attachment #590195 - Flags: review?(wmccloskey) → review+
Oh, I forgot, could you fix the typo in the comment ("aboug")?
https://hg.mozilla.org/integration/mozilla-inbound/rev/1b5b7d538230
https://hg.mozilla.org/mozilla-central/rev/1b5b7d538230
Target Milestone: --- → mozilla12
(Reporter)

Updated

5 years ago
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug716013.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.