eif-generator.js assertion error with gc zeal at 4

RESOLVED FIXED in mozilla16

Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Benjamin, Assigned: luke)

Tracking

unspecified
mozilla16
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [js:t])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
$ JS_GC_ZEAL=4 jit-test/jit_test.py _DBJ.OBJ/js eif-generator -o
Assertion failure: addr % Cell::CellSize == 0, at ../gc/Heap.h:825
(Assignee)

Comment 1

5 years ago
Created attachment 634271 [details] [diff] [review]
fix

Ah, so the problem is that it is totally bogus to copy a generator frame's slot values into the call object when the generator is about to finalized (duh).  Rather than trying to dance around to make this work, I'd rather just remove the copy since it only helps preserve debugger values in a presumably rare corner case.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #634271 - Flags: review?(jimb)
Whiteboard: [js:t]
(Assignee)

Updated

5 years ago
Attachment #634271 - Flags: review?(jimb) → review?(wmccloskey)
Comment on attachment 634271 [details] [diff] [review]
fix

This looks fine to me. Jim, I just want to make sure you're okay losing this debugger feature.
Attachment #634271 - Flags: review?(wmccloskey) → review+
(Assignee)

Comment 3

5 years ago
The code removal here is definitely a necessary fix, since the values are potentially garbage, so "not losing the debugger feature" is really "adding a debugger feature" which would imply a new bug.
(Assignee)

Comment 4

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/0d94dbf7ae1e
and filed bug 768220 as followup.
Target Milestone: --- → mozilla16

Comment 5

5 years ago
https://hg.mozilla.org/mozilla-central/rev/0d94dbf7ae1e
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.