Closed Bug 757810 Opened 13 years ago Closed 12 years ago

IonMonkey: Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(thing)), at jsgc.cpp:4444

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86
Linux
defect
Not set
major

Tracking

()

VERIFIED FIXED
Tracking Status
firefox16 --- unaffected
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, testcase, Whiteboard: js-triage-needed [jsbugmon:update,ignore])

The following testcase asserts on ionmonkey revision d5545e6d927b (run with --ion -n -m): var gTestcases = new Array(); function TestCase(n, d, e, a) gTestcases[gTc++] = this; TestCase.prototype.dump = function () { dump('\njstest: ' + this.path + ' ' + 'reason: ' + toPrinted(this.reason) + '\n'); }; function toPrinted(value) {} dump = (function () {}); for ( gTc=0; gTc < gTestcases.length; gTc++ ) { } function jsTestDriverEnd() { for (var i = 0; i < gTestcases.length; i++) gTestcases[i].dump(); } function Integer( value, exception ) { new TestCase( this.value ); } new TestCase( 3, false ); new Integer( NaN, true ); new Integer( 0, false ); new Integer( Infinity, false ); new Integer( -2.12, true ); new Integer( Math.LN2, true ); jsTestDriverEnd(); jsTestDriverEnd(); jsTestDriverEnd(); jsTestDriverEnd(); jsTestDriverEnd(); jsTestDriverEnd(); jsTestDriverEnd(); gczeal(4);
Whiteboard: [jsbugmon:update] → [jsbugmon:update] js-triage-needed
Assignee: general → dvander
Status: NEW → ASSIGNED
Bill recommends holding off on this until bug 746691 lands, which is very likely to fix this.
Fyi, with jandem's patch making this assertion more verbose, the assert is: [LangFuzz] Issue Report: Assertion failure: [verifier failure] constant, at jsgc.cpp:4457 I got the same assertion for other values than "constant", and I'll file those separately now. Worst case, they are dups and we can just close them when this one is fixed :)
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 80a444262772).
Whiteboard: [jsbugmon:update] js-triage-needed → js-triage-needed [jsbugmon:update,ignore]
Fixed by bug 746691.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.