Closed Bug 773588 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: [barrier verifier] Unmarked edge: <unknown>, at jsgc.cpp:4711

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

VERIFIED FIXED
Tracking Status
firefox16 --- unaffected
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase asserts on ionmonkey revision a29f6c635516 (run with --ion -n -m --ion-eager): gcPreserveCode() gczeal(4); function f() { var a = [], i, N = 10; for (i = 0; i < N; i++) a[i] = { m: function() { return 0; }, m: function() { return (false ); } }; schedulegc(10); assertEq(f(), 1); } f();
Assignee: general → dvander
Status: NEW → ASSIGNED
Hardware: x86 → x86_64
Attached patch fixSplinter Review
INITPROP can initialize the same element twice, meaning we may need a write barrier.
Attachment #642811 - Flags: review?(jdemooij)
CC'ing Bill and Brian since I think JM+TI might have the same bug, but I can't reproduce it with this test case.
I tried to write a JM test case for this, but for some reason gczeal(4) seems to be totally disabling the methodjit. That didn't used to happen. I'll look into it tomorrow.
Comment on attachment 642811 [details] [diff] [review] fix Review of attachment 642811 [details] [diff] [review]: ----------------------------------------------------------------- Please add the testcase too, or do you want to do that after JM is fixed?
Attachment #642811 - Flags: review?(jdemooij) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/699ab277c0b8 (test case unfortunately iloops) Bill, should I keep this open or file a separate bug for JM?
Thanks!
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: