Closed Bug 773588 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: [barrier verifier] Unmarked edge: <unknown>, at jsgc.cpp:4711

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

VERIFIED FIXED
Tracking Status
firefox16 --- unaffected
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase asserts on ionmonkey revision a29f6c635516 (run with --ion -n -m --ion-eager):


gcPreserveCode()
gczeal(4);
function f() {
    var a = [], i, N = 10;
    for (i = 0; i < N; i++)
        a[i] = {
		m: function() { return 0; }, 
		m: function() { return (false  ); }
		};
        schedulegc(10);
        assertEq(f(), 1);
}
f();
Assignee: general → dvander
Status: NEW → ASSIGNED
Hardware: x86 → x86_64
Attached patch fixSplinter Review
INITPROP can initialize the same element twice, meaning we may need a write barrier.
Attachment #642811 - Flags: review?(jdemooij)
CC'ing Bill and Brian since I think JM+TI might have the same bug, but I can't reproduce it with this test case.
I tried to write a JM test case for this, but for some reason gczeal(4) seems to be totally disabling the methodjit. That didn't used to happen. I'll look into it tomorrow.
Comment on attachment 642811 [details] [diff] [review]
fix

Review of attachment 642811 [details] [diff] [review]:
-----------------------------------------------------------------

Please add the testcase too, or do you want to do that after JM is fixed?
Attachment #642811 - Flags: review?(jdemooij) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/699ab277c0b8 (test case unfortunately iloops)

Bill, should I keep this open or file a separate bug for JM?
Thanks!
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.