Last Comment Bug 744285 - Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(*thingp)), at jsgc.cpp:4278
: Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(*thingp)), at jsgc...
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
-- critical (vote)
: mozilla14
Assigned To: Bill McCloskey (:billm)
: Jason Orendorff [:jorendorff]
: 744287 744356 (view as bug list)
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2012-04-10 18:36 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:30 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Test case for shell (run with -n -m -a) (2.12 KB, application/javascript)
2012-04-10 18:36 PDT, Christian Holler (:decoder)
no flags Details
patch (5.47 KB, patch)
2012-04-11 14:31 PDT, Bill McCloskey (:billm)
igor: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-04-10 18:36:06 PDT
Created attachment 613840 [details]
Test case for shell (run with -n -m -a)

The attached test asserts on mozilla-central revision 3fa30b0edd15 (options -m -a -n).

Marking s-s because this assertion is GC-related.

Billm: Is this a dup of bug 740509 or some other issue?
Comment 1 User image Bill McCloskey (:billm) 2012-04-11 14:31:02 PDT
Created attachment 614174 [details] [diff] [review]

This is a regression from bug 739899. When doing conservative stack scanning, I checked the gcRunning flag to see if we should reject things in other compartments. However, this flag is set by AutoHeapSession (i.e., but pretty much anyone who will use the conservative scanner). We really need to be checking IS_GC_MARKING_TRACER.

This doesn't affect the GC or CC, so I don't think it's sensitive.
Comment 2 User image Igor Bukanov 2012-04-11 14:45:07 PDT
Comment on attachment 614174 [details] [diff] [review]

Review of attachment 614174 [details] [diff] [review]:

The test is really nice!
Comment 3 User image Bill McCloskey (:billm) 2012-04-11 16:18:30 PDT
*** Bug 744356 has been marked as a duplicate of this bug. ***
Comment 4 User image Bill McCloskey (:billm) 2012-04-11 16:20:26 PDT
*** Bug 744287 has been marked as a duplicate of this bug. ***
Comment 6 User image Marco Bonardo [::mak] 2012-04-13 04:25:09 PDT
Comment 7 User image Christian Holler (:decoder) 2013-01-14 08:30:42 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug744285.js.

Note You need to log in before you can comment on or make changes to this bug.