Last Comment Bug 764850 - Assertion failure: allocated(), at ../../gc/Heap.h:498 or Crash [@ js::gc::MarkTypeObject]
: Assertion failure: allocated(), at ../../gc/Heap.h:498 or Crash [@ js::gc::Ma...
Status: RESOLVED FIXED
[jsbugmon:update][js:t]
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- major (vote)
: mozilla16
Assigned To: [PTO to Dec5] Bill McCloskey (:billm)
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2012-06-14 08:53 PDT by Christian Holler (:decoder)
Modified: 2013-02-07 05:18 PST (History)
11 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (912 bytes, patch)
2012-06-15 18:44 PDT, [PTO to Dec5] Bill McCloskey (:billm)
terrence.d.cole: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-06-14 08:53:15 PDT
The following testcase asserts on ionmonkey revision 7ab88528503e (run with --ion -n -m --ion-eager):


gczeal(4);
it.customNative = assertEq;
Comment 1 Sean Stangl [:sstangl] 2012-06-15 17:39:43 PDT
This one reproduces with --no-ion --no-jm.
Comment 2 Sean Stangl [:sstangl] 2012-06-15 17:45:15 PDT
This bug exists on mozilla-central (x86, debug). Impact is limited, since it appears to require the "it" object for failure, which only exists in shell builds.

CC'ing GC team members.
Comment 3 [PTO to Dec5] Bill McCloskey (:billm) 2012-06-15 18:44:04 PDT
Created attachment 633750 [details] [diff] [review]
patch
Comment 4 Andrew McCreight [:mccr8] 2012-06-15 18:50:57 PDT
If this is just a bug in GCZEAL it can probably be unhidden.
Comment 5 [PTO to Dec5] Bill McCloskey (:billm) 2012-06-22 11:32:58 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/61d6f770a430
Comment 6 Ryan VanderMeulen [:RyanVM] 2012-06-23 05:46:11 PDT
https://hg.mozilla.org/mozilla-central/rev/61d6f770a430
Comment 7 Christian Holler (:decoder) 2013-02-07 05:18:17 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397

Note You need to log in before you can comment on or make changes to this bug.