Assertion failure: allocated(), at ../../gc/Heap.h:498 or Crash [@ js::gc::MarkTypeObject]

RESOLVED FIXED in mozilla16

Status

()

Core
JavaScript Engine
--
major
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Assigned: billm)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Other Branch
mozilla16
x86_64
Linux
assertion, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update][js:t])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase asserts on ionmonkey revision 7ab88528503e (run with --ion -n -m --ion-eager):


gczeal(4);
it.customNative = assertEq;
This one reproduces with --no-ion --no-jm.
This bug exists on mozilla-central (x86, debug). Impact is limited, since it appears to require the "it" object for failure, which only exists in shell builds.

CC'ing GC team members.
Summary: IonMonkey: Assertion failure: allocated(), at ../../gc/Heap.h:498 or Crash [@ js::gc::MarkTypeObject] → Assertion failure: allocated(), at ../../gc/Heap.h:498 or Crash [@ js::gc::MarkTypeObject]
No longer blocks: 724444
(Assignee)

Comment 3

5 years ago
Created attachment 633750 [details] [diff] [review]
patch
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #633750 - Flags: review?(terrence)
If this is just a bug in GCZEAL it can probably be unhidden.
Attachment #633750 - Flags: review?(terrence) → review+
Whiteboard: [jsbugmon:update] → [jsbugmon:update][js:t]
Group: core-security
(Assignee)

Comment 5

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/61d6f770a430
https://hg.mozilla.org/mozilla-central/rev/61d6f770a430
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla16
(Reporter)

Comment 7

4 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.