Closed
Bug 826669
Opened 12 years ago
Closed 12 years ago
[jsdbg2] Assertion failure: !IsThingPoisoned(thing), at gc/Marking.cpp:147
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
People
(Reporter: decoder, Assigned: jonco)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file, 1 obsolete file)
6.38 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 801ba75ac563 (no options required):
gczeal(9, 2)
var g1 = newGlobal('new-compartment');
var g2 = newGlobal('new-compartment');
var dbg = new Debugger();
var g1w = dbg.addDebuggee(g1);
g1.eval('function f() {}');
scripts = dbg.findScripts({});
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect]
Assignee | ||
Comment 1•12 years ago
|
||
The assertion indicates that a finalized script is being marked and so is somehow reachable.
It turns out that what's happening is that when this is called in the mark phase of an incremental GC, CellIter is handing out pointers to cells that are (were) unreachable and will shortly be swept. This is being caught by the marking assertion the next time a GC runs.
The comment in findScripts already mentions that no GC may be allowed when using CellIter, but we also need to make sure we're not running between incremental GC slices, so the fix is to finish any ongoing GC here.
Assignee: general → jcoppeard
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•12 years ago
|
||
Attachment #697946 -
Attachment is obsolete: true
Assignee | ||
Updated•12 years ago
|
Attachment #698669 -
Flags: review?(wmccloskey)
Attachment #698669 -
Flags: review?(wmccloskey) → review+
![]() |
||
Comment 3•12 years ago
|
||
Flags: in-testsuite+
Comment 4•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
You need to log in
before you can comment on or make changes to this bug.
Description
•