Last Comment Bug 744285 - Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(*thingp)), at jsgc.cpp:4278
: Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(*thingp)), at jsgc...
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: mozilla14
Assigned To: Bill McCloskey (:billm)
: 744287 744356 (view as bug list)
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2012-04-10 18:36 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:30 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Test case for shell (run with -n -m -a) (2.12 KB, application/javascript)
2012-04-10 18:36 PDT, Christian Holler (:decoder)
no flags Details
patch (5.47 KB, patch)
2012-04-11 14:31 PDT, Bill McCloskey (:billm)
igor: review+
Details | Diff | Review

Description Christian Holler (:decoder) 2012-04-10 18:36:06 PDT
Created attachment 613840 [details]
Test case for shell (run with -n -m -a)

The attached test asserts on mozilla-central revision 3fa30b0edd15 (options -m -a -n).

Marking s-s because this assertion is GC-related.

Billm: Is this a dup of bug 740509 or some other issue?
Comment 1 Bill McCloskey (:billm) 2012-04-11 14:31:02 PDT
Created attachment 614174 [details] [diff] [review]

This is a regression from bug 739899. When doing conservative stack scanning, I checked the gcRunning flag to see if we should reject things in other compartments. However, this flag is set by AutoHeapSession (i.e., but pretty much anyone who will use the conservative scanner). We really need to be checking IS_GC_MARKING_TRACER.

This doesn't affect the GC or CC, so I don't think it's sensitive.
Comment 2 Igor Bukanov 2012-04-11 14:45:07 PDT
Comment on attachment 614174 [details] [diff] [review]

Review of attachment 614174 [details] [diff] [review]:

The test is really nice!
Comment 3 Bill McCloskey (:billm) 2012-04-11 16:18:30 PDT
*** Bug 744356 has been marked as a duplicate of this bug. ***
Comment 4 Bill McCloskey (:billm) 2012-04-11 16:20:26 PDT
*** Bug 744287 has been marked as a duplicate of this bug. ***
Comment 6 Marco Bonardo [::mak] 2012-04-13 04:25:09 PDT
Comment 7 Christian Holler (:decoder) 2013-01-14 08:30:42 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug744285.js.

Note You need to log in before you can comment on or make changes to this bug.