As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 729571 - Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(*thingp)), at jsgc.cpp:4363
: Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(*thingp)), at jsgc...
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- major (vote)
: ---
Assigned To: Bill McCloskey (:billm)
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2012-02-22 09:09 PST by Christian Holler (:decoder)
Modified: 2013-02-07 05:16 PST (History)
9 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description User image Christian Holler (:decoder) 2012-02-22 09:09:12 PST
The following testcase asserts on ionmonkey revision ca97bbcd6b90 (run with --ion -n -m), tested on 64 bit:


gczeal(4);
function TestCase(n, d, e, a) {}
TestCase.prototype.dump = function () {};
TestCase.prototype.testFailed = (function TestCase_testFailed() { 
	});
  try  {
    try    {    }    catch(ex1)    {    }
  }  catch(ex)  {  }
  options.initvalues  = {};
  var optionNames = options().split(',');
  var optionsframe = {};
  try  {
    optionsClear();
  }  catch(ex)  {  }
var lfcode = new Array();
lfcode.push("\
  try {  } catch (exception) {  }\
    try {    } catch (exception) {    }\
    try {    } catch (exception) {    }\
    try {    } catch (actual) {    }\
        var props = {};\
  function test(which) {\
    var g = newGlobal(\"new-compartment\");\
    function addDebugger(g, i) {\
        var dbg = Debugger(g);\
        dbg.onDebuggerStatement = function (frame) { };\
    }\
    for (var i = 0; i < 3; i++) {\
        addDebugger(g, i);\
    }\
    g.eval(\"debugger;\");\
}\
for (var j = 0; j < 3; j++) test(j);\
");
while (true) {
	var file = lfcode.shift(); if (file == undefined) { break; }
	try { evaluate(file); } catch (lfVare) { }
}
Comment 1 User image David Anderson [:dvander] 2012-02-22 19:54:45 PST
This assert triggers for me without any shell arguments, and seems to trigger on m-c too
Comment 2 User image Bill McCloskey (:billm) 2012-02-22 22:36:26 PST
Could you take a look at this, Terrence?
Comment 3 User image Bill McCloskey (:billm) 2012-02-27 18:50:11 PST
David, what m-c revision did you test with? I'm not seeing this on tip.
Comment 4 User image David Anderson [:dvander] 2012-02-27 18:53:28 PST
(In reply to Bill McCloskey (:billm) from comment #3)
> David, what m-c revision did you test with? I'm not seeing this on tip.

changeset:   87454:5e756e59a794
Comment 5 User image Bill McCloskey (:billm) 2012-02-27 19:01:45 PST
I can reproduce. I'll take a look at it tomorrow.
Comment 6 User image Bill McCloskey (:billm) 2012-02-28 14:15:46 PST
This is a false positive from the barrier verifier. It happens because TraceRuntime doesn't normally traverse debugger objects, since that happens from Debugger::markAllIteratively. So, from the write barrier verifier's perspective, a Debugger object is appearing out of nowhere when it gets used by some code.

I'm going to put this on hold for a little while.
Comment 7 User image Christian Holler (:decoder) 2012-03-29 03:20:54 PDT
What is the status here? I do have another test with this assertion, but without this one resolved, it's hard to say if it's the same thing.
Comment 8 User image Bill McCloskey (:billm) 2012-03-29 07:31:49 PDT
(In reply to Christian Holler (:decoder) from comment #7)
> What is the status here? I do have another test with this assertion, but
> without this one resolved, it's hard to say if it's the same thing.

I'll try to fix it soon. If the other test case doesn't involve debugger objects, then it's different than this.
Comment 9 User image Bill McCloskey (:billm) 2012-05-08 11:18:26 PDT
I removed this assert, so I don't think this should trigger anymore.
Comment 10 User image Bill McCloskey (:billm) 2012-05-08 11:26:14 PDT
This was fixed by bug 748119.
Comment 11 User image Christian Holler (:decoder) 2013-02-07 05:16:07 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397

Note You need to log in before you can comment on or make changes to this bug.