756781 - IonMonkey: Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(thing)), at jsgc.cpp:4466

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on ionmonkey revision 890dd17b4187 (run with --ion -n -m --ion-eager):


function AddTestCase( description, expect, actual ) {
  new TestCase( SECTION, description, expect, actual );
}
function TestCase(n, d, e, a) {}
var SECTION = "String/match-004.js";
re = /0./;
s = 10203040506070809000;
Number.prototype.match = String.prototype.match;
AddRegExpCases(  re, "re = " + re , s, String(s), 1, ["02"]);
AddRegExpCases(  re, re, s, ["02"]);
function AddRegExpCases(
  regexp, str_regexp, string, str_string, index, matches_array ) {
  if ( regexp.exec(string) == null || matches_array == null ) {
    AddTestCase( string.match(regexp) );
  }
  AddTestCase( string.match(regexp).input );
  gczeal(4);
}

Comment 1

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: fix

Sweet, I can actually debug these now. For technical reasons we can't trace invalidated IonCode objects, so tracing the IonScript later doesn't suffice for incremental GC. We can just force a trace here.

Comment 2

[David Anderson [:dvander] - inactive, e-mail if emergency]

http://hg.mozilla.org/projects/ionmonkey/rev/454dcc349cbb

Comment 3

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.

Comment 4

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug756781.js.