Closed
Bug 875777
Opened 11 years ago
Closed 11 years ago
Assertion failure: !(addr & ArenaMask), at gc/Heap.h:843 or Crash [@ GetGCThingMarkBitmap]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox23 | --- | unaffected |
firefox24 | --- | verified |
firefox-esr17 | --- | unaffected |
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update][sg:dupe 875748])
Attachments
(2 files, 1 obsolete file)
The attached testcase asserts on mozilla-central revision df526497d949 (run with --ion-eager).
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Opt crash trace: Program received signal SIGSEGV, Segmentation fault. 0x080d868f in GetGCThingMarkBitmap (thing=0xffffff85) at /usr/include/bits/string3.h:85 85 return __builtin___memset_chk (__dest, __ch, __len, __bos0 (__dest)); #0 0x080d868f in GetGCThingMarkBitmap (thing=0xffffff85) at /usr/include/bits/string3.h:85 #1 GetGCThingMarkWordAndMask (thing=0xffffff85, maskp=<synthetic pointer>, wordp=<optimized out>, color=0) at ./dist/include/js/HeapAPI.h:111 #2 getMarkWordAndMask (wordp=<optimized out>, color=0, cell=0xffffff85, maskp=<synthetic pointer>, this=<optimized out>) at js/src/gc/Heap.h:680 #3 arenaBits (aheader=0xffffff85, this=<optimized out>) at js/src/gc/Heap.h:727 #4 unmarkAll (this=0x908096c) at js/src/jsgc.h:360 #5 BeginMarkPhase (rt=0x9022ea0) at js/src/jsgc.cpp:2801 #6 IncrementalCollectSlice (rt=0x9022ea0, budget=<optimized out>, reason=JS::gcreason::LAST_CONTEXT, gckind=js::GC_NORMAL) at js/src/jsgc.cpp:4237 #7 0x080da9ed in GCCycle (rt=0x9022ea0, incremental=<optimized out>, budget=0, gckind=js::GC_NORMAL, reason=JS::gcreason::LAST_CONTEXT) at js/src/jsgc.cpp:4415 edi 0xac 172 => 0x80d868f <IncrementalCollectSlice(JSRuntime*, int64_t, JS::gcreason::Reason, js::JSGCInvocationKind)+2143>: rep stos %eax,%es:(%edi) S-s due to GC hazard.
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Comment 3•11 years ago
|
||
Reporter | ||
Comment 4•11 years ago
|
||
Comment on attachment 753795 [details]
[crash-signature] Machine-readable crash signature
Wrong signature for this bug.
Attachment #753795 -
Attachment is obsolete: true
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 5•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 132612:b2216a10f95b user: Shu-yu Guo date: Tue May 21 23:52:45 2013 -0700 summary: Bug 867471 - Part 2: Compile rest parameter in Ion for sequential execution. (r=djvj) This iteration took 328.595 seconds to run.
Comment 6•11 years ago
|
||
I can't reproduce this on my machine, but it's likely a duplicate of 875748
Updated•11 years ago
|
Keywords: regression
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 7•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 0fed3377c839).
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
Reporter | ||
Comment 8•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 0fed3377c839). JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 132895:e1bca8b56470 user: Jan de Mooij date: Fri May 24 14:03:31 2013 +0200 summary: Bug 868431 - Disable Ion when Baseline is disabled, remove bailout-to-interpreter code. r=djvj This iteration took 324.962 seconds to run.
Comment 9•11 years ago
|
||
Strange bisection result. Nonetheless, assuming fixed by bug 875748 as per comment 6.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 10•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•11 years ago
|
status-firefox23:
--- → unaffected
status-firefox24:
--- → fixed
status-firefox-esr17:
--- → unaffected
Updated•11 years ago
|
Comment 11•11 years ago
|
||
Based on comment 10
You need to log in
before you can comment on or make changes to this bug.
Description
•