Closed Bug 756781 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(thing)), at jsgc.cpp:4466

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

VERIFIED FIXED

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][fuzzblocker])

Attachments

(1 file)

The following testcase asserts on ionmonkey revision 890dd17b4187 (run with --ion -n -m --ion-eager):


function AddTestCase( description, expect, actual ) {
  new TestCase( SECTION, description, expect, actual );
}
function TestCase(n, d, e, a) {}
var SECTION = "String/match-004.js";
re = /0./;
s = 10203040506070809000;
Number.prototype.match = String.prototype.match;
AddRegExpCases(  re, "re = " + re , s, String(s), 1, ["02"]);
AddRegExpCases(  re, re, s, ["02"]);
function AddRegExpCases(
  regexp, str_regexp, string, str_string, index, matches_array ) {
  if ( regexp.exec(string) == null || matches_array == null ) {
    AddTestCase( string.match(regexp) );
  }
  AddTestCase( string.match(regexp).input );
  gczeal(4);
}
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Assignee: general → dvander
Status: NEW → ASSIGNED
Attached patch fixSplinter Review
Sweet, I can actually debug these now. For technical reasons we can't trace invalidated IonCode objects, so tracing the IonScript later doesn't suffice for incremental GC. We can just force a trace here.
Attachment #625787 - Flags: review?(wmccloskey)
Attachment #625787 - Flags: review?(wmccloskey) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/454dcc349cbb
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug756781.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.