Last Comment Bug 756732 - "Assertion failure: clasp->flags & (1<<5),"
: "Assertion failure: clasp->flags & (1<<5),"
Status: RESOLVED FIXED
[js:p1][fuzzblocker]
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: mozilla15
Assigned To: Bill McCloskey (:billm)
:
:
Mentors:
: 756843 (view as bug list)
Depends on:
Blocks: jsfunfuzz
  Show dependency treegraph
 
Reported: 2012-05-18 23:37 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2012-06-27 11:22 PDT (History)
9 users (show)
gary: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stack (4.04 KB, text/plain)
2012-05-18 23:37 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
patch (964 bytes, patch)
2012-05-21 18:38 PDT, Bill McCloskey (:billm)
luke: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2012-05-18 23:37:06 PDT
Created attachment 625359 [details]
stack

try {} catch(e) {}
(function() {
    gcslice(62)
})()

asserts js debug shell on m-c changeset 642d1a36702f without any CLI arguments at Assertion failure: clasp->flags & (1<<5),

gcslice at play but I'm not sure if this is truly risk-free so locking s-s.
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2012-05-18 23:39:11 PDT
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   94413:f45eec2bd4c7
user:        Luke Wagner
date:        Tue Dec 20 17:42:45 2011 -0800
summary:     Bug 690135 - create scope objects eagerly or not at all (r=jimb)
Comment 2 Jim Blandy :jimb 2012-05-19 21:06:49 PDT
I'm not able to reproduce this:

src$ hg parent
changeset:   94417:642d1a36702f
parent:      94360:9dab33fa5ff4
parent:      94416:47c8f2d06763
user:        Ryan VanderMeulen <ryanvm@gmail.com>
date:        Fri May 18 20:40:16 2012 -0400
summary:     Merge the last PGO-green inbound changeset to m-c.

src$ file obj~/shell/js
obj~/shell/js: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, not stripped
src$ cat ~/moz/scope-crash.js 
try {} catch(e) {}
(function() {
    gcslice(62)
})()
src$ obj~/js -f ~/moz/scope-crash.js 
src$ grep ^MOZ_DEBUG obj~/config/autoconf.mk 
MOZ_DEBUG	= 1
MOZ_DEBUG_SYMBOLS = 1
MOZ_DEBUG_ENABLE_DEFS		= -DDEBUG -D_DEBUG -DTRACING
MOZ_DEBUG_DISABLE_DEFS	= -DNDEBUG -DTRIMMED
MOZ_DEBUG_FLAGS	= -g3 -O0
MOZ_DEBUG_LDFLAGS=
src$
Comment 3 Jim Blandy :jimb 2012-05-19 21:10:54 PDT
I got it to crash; you just need to find the right gcslice value. I searched using this command (bash):

for ((i=0; i<500; i++)); do if ! obj~/js -e 'try {} catch(e) {}; (function() { gcslice('$i')})()'; then echo $i; break; fi; done

For me, the right value is 84: 

src$ obj~/js -e 'try {} catch(e) {}; (function() { gcslice(84)})()'
Assertion failure: clasp->flags & (1<<5), at /home/jimb/moz/dbg/js/src/gc/Marking.cpp:1126
Aborted (core dumped)
src$
Comment 4 Jim Blandy :jimb 2012-05-19 21:13:14 PDT
It seems like this is a crash that could be encountered in the wild. I don't know if it's s-s or not yet; that depends on what kind of invariant that assertion is checking.
Comment 5 Gary Kwong [:gkw] [:nth10sd] 2012-05-21 18:26:08 PDT
Setting [fuzzblocker] nonetheless. It happens pretty often.
Comment 6 Bill McCloskey (:billm) 2012-05-21 18:38:58 PDT
Created attachment 625850 [details] [diff] [review]
patch

We need this stupid flag on every class with a trace hook. It's annoying.
Comment 7 Andrew McCreight [:mccr8] 2012-05-21 18:57:30 PDT
Bill, this is just the assertion you added to check when something is turning IGC off, right?  If that's the case, it seems like it doesn't need to s-s.
Comment 8 Bill McCloskey (:billm) 2012-05-22 11:39:13 PDT
*** Bug 756843 has been marked as a duplicate of this bug. ***
Comment 10 Ed Morley [:emorley] 2012-05-23 05:22:46 PDT
https://hg.mozilla.org/mozilla-central/rev/9de1e72ad539
Comment 11 Gary Kwong [:gkw] [:nth10sd] 2012-06-27 11:22:33 PDT
gcslice value varies -> fragile -> in-testsuite-

Note You need to log in before you can comment on or make changes to this bug.