Last Comment Bug 729571 - Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(*thingp)), at jsgc.cpp:4363
: Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(*thingp)), at jsgc...
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- major (vote)
: ---
Assigned To: Bill McCloskey (:billm)
:
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2012-02-22 09:09 PST by Christian Holler (:decoder)
Modified: 2013-02-07 05:16 PST (History)
9 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Christian Holler (:decoder) 2012-02-22 09:09:12 PST
The following testcase asserts on ionmonkey revision ca97bbcd6b90 (run with --ion -n -m), tested on 64 bit:


gczeal(4);
function TestCase(n, d, e, a) {}
TestCase.prototype.dump = function () {};
TestCase.prototype.testFailed = (function TestCase_testFailed() { 
	});
  try  {
    try    {    }    catch(ex1)    {    }
  }  catch(ex)  {  }
  options.initvalues  = {};
  var optionNames = options().split(',');
  var optionsframe = {};
  try  {
    optionsClear();
  }  catch(ex)  {  }
var lfcode = new Array();
lfcode.push("\
  try {  } catch (exception) {  }\
    try {    } catch (exception) {    }\
    try {    } catch (exception) {    }\
    try {    } catch (actual) {    }\
        var props = {};\
  function test(which) {\
    var g = newGlobal(\"new-compartment\");\
    function addDebugger(g, i) {\
        var dbg = Debugger(g);\
        dbg.onDebuggerStatement = function (frame) { };\
    }\
    for (var i = 0; i < 3; i++) {\
        addDebugger(g, i);\
    }\
    g.eval(\"debugger;\");\
}\
for (var j = 0; j < 3; j++) test(j);\
");
while (true) {
	var file = lfcode.shift(); if (file == undefined) { break; }
	try { evaluate(file); } catch (lfVare) { }
}
Comment 1 David Anderson [:dvander] 2012-02-22 19:54:45 PST
This assert triggers for me without any shell arguments, and seems to trigger on m-c too
Comment 2 Bill McCloskey (:billm) 2012-02-22 22:36:26 PST
Could you take a look at this, Terrence?
Comment 3 Bill McCloskey (:billm) 2012-02-27 18:50:11 PST
David, what m-c revision did you test with? I'm not seeing this on tip.
Comment 4 David Anderson [:dvander] 2012-02-27 18:53:28 PST
(In reply to Bill McCloskey (:billm) from comment #3)
> David, what m-c revision did you test with? I'm not seeing this on tip.

changeset:   87454:5e756e59a794
Comment 5 Bill McCloskey (:billm) 2012-02-27 19:01:45 PST
I can reproduce. I'll take a look at it tomorrow.
Comment 6 Bill McCloskey (:billm) 2012-02-28 14:15:46 PST
This is a false positive from the barrier verifier. It happens because TraceRuntime doesn't normally traverse debugger objects, since that happens from Debugger::markAllIteratively. So, from the write barrier verifier's perspective, a Debugger object is appearing out of nowhere when it gets used by some code.

I'm going to put this on hold for a little while.
Comment 7 Christian Holler (:decoder) 2012-03-29 03:20:54 PDT
What is the status here? I do have another test with this assertion, but without this one resolved, it's hard to say if it's the same thing.
Comment 8 Bill McCloskey (:billm) 2012-03-29 07:31:49 PDT
(In reply to Christian Holler (:decoder) from comment #7)
> What is the status here? I do have another test with this assertion, but
> without this one resolved, it's hard to say if it's the same thing.

I'll try to fix it soon. If the other test case doesn't involve debugger objects, then it's different than this.
Comment 9 Bill McCloskey (:billm) 2012-05-08 11:18:26 PDT
I removed this assert, so I don't think this should trigger anymore.
Comment 10 Bill McCloskey (:billm) 2012-05-08 11:26:14 PDT
This was fixed by bug 748119.
Comment 11 Christian Holler (:decoder) 2013-02-07 05:16:07 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397

Note You need to log in before you can comment on or make changes to this bug.