Closed
Bug 758164
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: !comp->rt->gcRunning, at ../jsgcinlines.h:333
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore])
The following testcase asserts on ionmonkey revision 407632130d1b (run with --ion -n -m):
gc();
evaluate("gcslice(0);");
|
||
Comment 1•12 years ago
|
||
jsfunfuzz hits this a lot, too. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 96013:d5545e6d927b user: David Anderson date: Tue May 22 23:17:57 2012 -0700 summary: Throw Ion code away when needsBarrier changes (bug 757412, r=sstangl).
Blocks: 757412
Severity: major → critical
Keywords: regression
OS: Linux → All
Hardware: x86 → All
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
|
Reporter | |
Comment 2•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 80a444262772).
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
|
|
||
Comment 3•12 years ago
|
||
Confirming that this no longer occurs, the following changeset might have fixed it: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 96132:80a444262772 user: David Anderson date: Tue May 29 21:03:22 2012 -0400 summary: Merge backout.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 4•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•