Closed Bug 826669 Opened 12 years ago Closed 12 years ago

[jsdbg2] Assertion failure: !IsThingPoisoned(thing), at gc/Marking.cpp:147

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla21

People

(Reporter: decoder, Assigned: jonco)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file, 1 obsolete file)

The following testcase asserts on mozilla-central revision 801ba75ac563 (no options required): gczeal(9, 2) var g1 = newGlobal('new-compartment'); var g2 = newGlobal('new-compartment'); var dbg = new Debugger(); var g1w = dbg.addDebuggee(g1); g1.eval('function f() {}'); scripts = dbg.findScripts({});
Whiteboard: [jsbugmon:update,bisect]
Attached patch Proposed fix (obsolete) — Splinter Review
The assertion indicates that a finalized script is being marked and so is somehow reachable. It turns out that what's happening is that when this is called in the mark phase of an incremental GC, CellIter is handing out pointers to cells that are (were) unreachable and will shortly be swept. This is being caught by the marking assertion the next time a GC runs. The comment in findScripts already mentions that no GC may be allowed when using CellIter, but we also need to make sure we're not running between incremental GC slices, so the fix is to finish any ongoing GC here.
Assignee: general → jcoppeard
Status: NEW → ASSIGNED
Attached patch Better fixSplinter Review
Attachment #697946 - Attachment is obsolete: true
Attachment #698669 - Flags: review?(wmccloskey)
Attachment #698669 - Flags: review?(wmccloskey) → review+
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: