Closed Bug 732758 Opened 12 years ago Closed 12 years ago

IonMonkey: "Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(*thingp))," with verifybarriers and gc

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Assigned: dvander)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files, 2 obsolete files)

Attached file stack
function tryItOut(code) {
    try {
        f = Function(code)
    } catch (r) {}
    v = tryRunning(f, code)
    x = String;
    for (e in v) {}
}
function tryRunning() {
    try {
        rv = f();
        return rv;
    } catch (r) {
        x = String;
    }
}
__proto__.__defineSetter__("x", function() {});
tryItOut("/()/;\"\"()");
tryItOut("}");
tryItOut("");
tryItOut("o");
tryItOut(")");
tryItOut("(");
tryItOut(")");
tryItOut("}");
tryItOut("}");
tryItOut(")");
tryItOut(")");
tryItOut("");
tryItOut("l;function u(){/j/}");
tryItOut("(");
tryItOut("t");
tryItOut("(");
tryItOut(")");
tryItOut("(");
tryItOut("");
tryItOut("{t:g}");
tryItOut("r");
tryItOut("p");
tryItOut("gc()");
tryItOut("verifybarriers()");
tryItOut("/**/yield");

asserts js debug shell on IonMonkey changeset 1fd6c40d3852 with --ion and -n at Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(*thingp)), testcase is seemingly fragile and must be passed in as a CLI argument to reproduce.

Due to skipped revisions, the first bad revision could be any of:
changeset:   88151:8add57bafb0d
user:        David Anderson
date:        Tue Feb 21 12:47:02 2012 -0800
summary:     Implement IonMonkey write barriers (bug 724875, r=jandem,marty).

changeset:   88152:82c6ca0616d0
user:        David Anderson
date:        Tue Feb 21 12:48:48 2012 -0800
summary:     Work around argument-check bailouts not having a scope chain set (bug 724788, r=jandem).

changeset:   88153:6dd34eec6fbe
user:        Nicolas Pierron
date:        Tue Feb 21 13:59:08 2012 -0800
summary:     Fast version of charAt, charCodeAt and fromCharCode (Bug 718853, r=dvander)

changeset:   88348:61980734d3a2
parent:      88152:82c6ca0616d0
parent:      88347:7dcbce54a953
user:        David Anderson
date:        Tue Feb 21 15:08:22 2012 -0800
summary:     Merge from mozilla-central.

changeset:   88349:5a061abdf807
parent:      88348:61980734d3a2
parent:      88153:6dd34eec6fbe
user:        David Anderson
date:        Tue Feb 21 15:08:43 2012 -0800
summary:     Merge.

changeset:   88350:ca97bbcd6b90
user:        David Anderson
date:        Tue Feb 21 15:16:23 2012 -0800
summary:     Fix some merge fallout.

changeset:   88351:4307162c30b6
user:        Nicolas Pierron
date:        Tue Feb 21 15:55:40 2012 -0800
summary:     Fix OSX: Move explicit template instantiation to CPP file (Bug 718853, r=dvander)

changeset:   88352:70cc24cdd404
user:        Nicolas Pierron
date:        Tue Feb 21 18:43:53 2012 -0800
summary:     Fix OS X compilation, explicitly instantiate the function after its definition. (Bug 718853, r=dvander)

changeset:   88353:acb08144edf1
user:        Nicolas Pierron
date:        Tue Feb 21 22:06:47 2012 -0800
summary:     Implement JSOP_INITELEM. (Bug 691340, r=jandem)

changeset:   88354:14d9f14b129e
user:        Jan de Mooij
date:        Wed Feb 22 09:46:50 2012 +0100
summary:     Fix Clang (and probably also MSVC) errors (no bug, r=red)
This was found using a combination of jsfunfuzz and jandem's method fuzzer.
Attached patch fix (obsolete) — Splinter Review
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #603568 - Flags: review?(wmccloskey)
Attached patch correct patch (obsolete) — Splinter Review
Attachment #603568 - Attachment is obsolete: true
Attachment #603570 - Flags: review?(wmccloskey)
Attachment #603568 - Flags: review?(wmccloskey)
Attached patch arghSplinter Review
Bleh, sorry for spam. hg qfin is beyond broken.
Attachment #603570 - Attachment is obsolete: true
Attachment #603571 - Flags: review?(wmccloskey)
Attachment #603570 - Flags: review?(wmccloskey)
Attachment #603571 - Flags: review?(wmccloskey) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/76017d709ef3
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug732758.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.