Closed Bug 734763 Opened 13 years ago Closed 13 years ago

"Assertion failure: rt->gcMode != JSGC_MODE_GLOBAL" with certain GC prefs and forceShrinkingGC

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla13

People

(Reporter: jruderman, Assigned: billm)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

testcase
50 bytes, text/html
Details
fix
904 bytes, patch
gwagner
: review+
Details | Diff | Splinter Review
Attached file testcase
1. Install the new version of https://www.squarefree.com/extensions/domFuzzLite3.xpi 2. Set user_pref("javascript.options.mem.gc_incremental", false); user_pref("javascript.options.mem.gc_per_compartment", false); 3. Load the testcase. Result: Assertion failure: rt->gcMode != JSGC_MODE_GLOBAL, at jsgc.cpp:3600 Based on the stack trace, I suspect this is a regression from the following chunk of bug 730447's patch: @ MaybeGC + if (comp->gcMallocAndFreeBytes >= comp->gcTriggerMallocAndFreeBytes) { + GCSlice(cx, comp, GC_NORMAL, gcreason::MAYBEGC); + return; + }
Attached patch fixSplinter Review
This fixes two problems: 1. We're triggering a compartment GC when we're not supposed to. 2. We're triggering a GC when malloc bytes and trigger malloc bytes are both 0.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #605011 - Flags: review?(anygregor)
Attachment #605011 - Flags: review?(anygregor) → review+
https://hg.mozilla.org/mozilla-central/rev/ee1534c3a8e7
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: