Closed
Bug 825326
Opened 12 years ago
Closed 11 years ago
"Assertion failure: (obj)->compartment()->isGCMarking(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
Tracking | Status | |
---|---|---|
firefox19 | --- | unaffected |
firefox20 | --- | fixed |
firefox21 | --- | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: gkw, Assigned: jonco)
References
Details
(4 keywords, Whiteboard: [jsbugmon:])
Attachments
(2 files)
9.16 KB,
text/plain
|
Details | |
13.14 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
try { a = [] r = /x/ gczeal(10, 2)() } catch (e) {} try { (function() { r(function() { eval() }) })() } catch (e) {} try { s } catch (e) {} a.every() asserts js debug shell on m-c changeset f2a500997116 with -a at Assertion failure: (obj)->compartment()->isGCMarking(), s-s because GC seems involved. Assuming sec-critical unless otherwise shown. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 116562:54696b3f852b user: Jon Coppeard date: Tue Dec 18 13:27:28 2012 +0000 summary: Bug 820186 - Various crashes/assertions with gczeal(10) and random recursion. r=billm Tested with --enable-more-deterministic, but I'm not sure if it's needed.
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Comment 1•12 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Assignee | ||
Updated•12 years ago
|
Assignee: general → jcoppeard
Assignee | ||
Comment 2•12 years ago
|
||
Reporter | ||
Comment 3•12 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #2) > Created attachment 697065 [details] [diff] [review] > Potential fix Is the testcase from bug 820186 (the one with the Mersenne Twister) intended to be landed in this patch as well?
Assignee | ||
Comment 4•12 years ago
|
||
(In reply to Gary Kwong [:gkw] from comment #3) > (In reply to Jon Coppeard (:jonco) from comment #2) > > Created attachment 697065 [details] [diff] [review] > > Potential fix > > Is the testcase from bug 820186 (the one with the Mersenne Twister) intended > to be landed in this patch as well? Well, it should have been in the fix for bug 820186. But this bug was caused by the fix for that one so I included it here.
Reporter | ||
Comment 5•12 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #2) > Created attachment 697065 [details] [diff] [review] > Potential fix I verify that this patch does fix the bug. :)
Reporter | ||
Comment 6•12 years ago
|
||
> I verify that this patch does fix the bug. :)
In addition, this bug seems to only occur on Mac, it did not reproduce when I tested on 32-bit Linux js shell.
Updated•11 years ago
|
Attachment #697065 -
Attachment is patch: true
Comment 7•11 years ago
|
||
Comment on attachment 697065 [details] [diff] [review] Potential fix It sounded like this was ready for review, so I'll mark it thus so it doesn't get lost.
Attachment #697065 -
Flags: review?(wmccloskey)
Assignee | ||
Updated•11 years ago
|
Attachment #697065 -
Flags: review?(wmccloskey) → review?(terrence)
Comment 8•11 years ago
|
||
Comment on attachment 697065 [details] [diff] [review] Potential fix Review of attachment 697065 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsgc.cpp @@ +3823,5 @@ > case SWEEP: > for (CompartmentsIter c(rt); !c.done(); c.next()) { > c->scheduledForDestruction = false; > > + if (c->isGCMarking() && c->activeAnalysis && !c->gcTypesMarked) { Oh, wow. I'm wondering how this worked at all: do we just hit a reset during sweeping in a compartmental GC incredibly infrequently?
Attachment #697065 -
Flags: review?(terrence) → review+
Assignee | ||
Comment 9•11 years ago
|
||
(In reply to Terrence Cole [:terrence] from comment #8) Well, this code only got introduced recently. And we hit the situation where analysis becomes active during GC pretty infrequently anyway, and on top of that it has to be a compartmental GC as well. Cheers for the review.
Assignee | ||
Comment 10•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/3e5257f5f4a6
Assignee | ||
Comment 11•11 years ago
|
||
Backed out and relanded with correct bug number in commit message: https://hg.mozilla.org/integration/mozilla-inbound/rev/05895b39ed9e
Comment 12•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/05895b39ed9e
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox20:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Updated•11 years ago
|
Group: core-security
status-b2g18:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox21:
--- → fixed
status-firefox-esr17:
--- → unaffected
Comment 13•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/gc/bug-825326.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•