Last Comment Bug 759306 - IonMonkey: Assertion failure: thing, at gc/Marking.cpp:85 or Crash [@ js::gc::Cell::compartment]
: IonMonkey: Assertion failure: thing, at gc/Marking.cpp:85 or Crash [@ js::gc:...
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86 Linux
-- major (vote)
: ---
Assigned To: David Anderson [:dvander]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
Reported: 2012-05-29 05:47 PDT by Christian Holler (:decoder)
Modified: 2013-02-07 05:19 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

fix (1.42 KB, patch)
2012-05-29 14:39 PDT, David Anderson [:dvander]
nicolas.b.pierron: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-05-29 05:47:26 PDT
The following testcase asserts on ionmonkey revision 4ce3983a43f4 (run with --ion -n -m):

function assertEq(setter) {
        if (setter > 10)
            return {assertEq: 3.3};
        return {__proto__: assertEq(setter + 1)};
function testX() {
  var x = 2;
  var local0 = x;
  return { local0: local0 };
var resultsX = testX();
assertEq(resultsX.local0, 2);
assertEq(new (Proxy.createFunction({}, function(){}, function(){})), undefined);
Comment 1 User image Christian Holler (:decoder) 2012-05-29 05:48:46 PDT
Crash trace:

Program received signal SIGSEGV, Segmentation fault.
0x0804ca51 in js::gc::Cell::compartment (this=0x0) at ../../gc/Heap.h:970
970         return arenaHeader()->compartment;
(gdb) x /i $pc
=> 0x804ca51 <js::gc::Cell::compartment() const+17>:    mov    (%eax),%eax
(gdb) info reg eax
eax            0x0      0
(gdb) bt
#0  0x0804ca51 in js::gc::Cell::compartment (this=0x0) at ../../gc/Heap.h:970
#1  0x08337013 in js::gc::CheckMarkedThing<JSObject> (trc=0x87aae28, thing=0x0) at js/src/gc/Marking.cpp:86
#2  0x083358b4 in js::gc::MarkInternal<JSObject> (trc=0x87aae28, thingp=0xfffe01d0) at js/src/gc/Marking.cpp:108
#3  0x08333ee3 in js::gc::MarkRoot<JSObject> (trc=0x87aae28, thingp=0xfffe01d0, name=0x85c2794 "ion-vm-args") at js/src/gc/Marking.cpp:154
#4  0x0832fa0b in js::gc::MarkObjectRoot (trc=0x87aae28, thingp=0xfffe01d0, name=0x85c2794 "ion-vm-args") at js/src/gc/Marking.cpp:213
#5  0x08445f88 in MarkIonExitFrame (trc=0x87aae28, frame=...) at js/src/ion/IonFrames.cpp:497
#6  0x084460aa in MarkIonActivation (trc=0x87aae28, activations=...) at js/src/ion/IonFrames.cpp:530
#7  0x08446178 in js::ion::MarkIonActivations (rt=0x87aacb8, trc=0x87aae28) at js/src/ion/IonFrames.cpp:557
#8  0x0810886c in js::MarkRuntime (trc=0x87aae28, useSavedRoots=false) at js/src/jsgc.cpp:2348
#9  0x08109a7d in BeginMarkPhase (rt=0x87aacb8) at js/src/jsgc.cpp:3003
#10 0x0810adfe in NonIncrementalMark (rt=0x87aacb8, gckind=js::GC_NORMAL) at js/src/jsgc.cpp:3306
#11 0x0810be60 in GCCycle (rt=0x87aacb8, incremental=false, budget=0, gckind=js::GC_NORMAL) at js/src/jsgc.cpp:3660
#12 0x0810c37f in Collect (rt=0x87aacb8, incremental=false, budget=0, gckind=js::GC_NORMAL, reason=js::gcreason::DEBUG_GC) at js/src/jsgc.cpp:3769
#13 0x0810c514 in js::GC (rt=0x87aacb8, gckind=js::GC_NORMAL, reason=js::gcreason::DEBUG_GC) at js/src/jsgc.cpp:3793
#14 0x081066b5 in js::gc::RunLastDitchGC (cx=0x87cf570, reason=js::gcreason::DEBUG_GC) at js/src/jsgc.cpp:1668
#15 0x0810d133 in js::gc::RunDebugGC (cx=0x87cf570) at js/src/jsgc.cpp:4012
#16 0x080b1501 in js::gc::NewGCThing<JSObject> (cx=0x87cf570, kind=js::gc::FINALIZE_OBJECT4, thingSize=48) at ../jsgcinlines.h:413
#17 0x080a032e in js_NewGCObject (cx=0x87cf570, kind=js::gc::FINALIZE_OBJECT4) at ../jsgcinlines.h:459
#18 0x080a077b in js::NewObjectCache::newObjectFromHit (this=0x87bf750, cx=0x87cf570, entry_=11) at ../jscntxtinlines.h:125
#19 0x08189114 in js::NewObjectWithClassProto (cx=0x87cf570, clasp=0x87815c0, proto=0x0, parent=0xf7703040, kind=js::gc::FINALIZE_OBJECT4) at js/src/jsobj.cpp:2824
#20 0x080a3509 in js::NewBuiltinClassInstance (cx=0x87cf570, clasp=0x87815c0, kind=js::gc::FINALIZE_OBJECT4) at ../jsobjinlines.h:1445
#21 0x0849b384 in js::ion::NewInitObject (cx=0x87cf570, baseObj=..., type=0xf7700160) at js/src/ion/VMFunctions.cpp:239
#22 0x0041434a in ?? ()

Could be a null-deref only, but making this s-s until confirmed as the crash is GC-related.
Comment 2 User image David Anderson [:dvander] 2012-05-29 14:39:34 PDT
Created attachment 628113 [details] [diff] [review]
Comment 3 User image David Anderson [:dvander] 2012-05-30 07:57:22 PDT
Comment 4 User image Christian Holler (:decoder) 2013-02-07 05:19:49 PST
Automatically extracted testcase for this bug was committed:

Note You need to log in before you can comment on or make changes to this bug.