Closed Bug 885988 Opened 11 years ago Closed 11 years ago

Assertion failure: !InFreeList(thing->arenaHeader(), thing), at gc/Marking.cpp or Assertion failure: addr % CellSize == 0, at gc/Heap.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: gkw, Unassigned)

Details

(4 keywords)

Attachments

(1 file)

stack
15.40 KB, text/plain
Details
Attached file stack 
The upcoming resistant-to-reduction testcase asserts js debug shell on m-c changeset cea75ce9a559 with --no-ti --ion-eager at Assertion failure: !InFreeList(thing->arenaHeader(), thing), at gc/Marking.cpp

Note that this has seemingly manifested in bug 860127, but also without a reliable testcase.

I occasionally also see the following assertion:
Assertion failure: addr % CellSize == 0, at gc/Heap.h

Setting s-s because gc is seemingly involved and is on the stack.

I used:

CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh configure --target=x86_64-apple-darwin11.4.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-threadsafe

(--with-system-nspr may also be needed)

Asking needinfo from jandem - please feel free to forward this on as necessary.
Flags: needinfo?(jdemooij)
Sounds pretty bad.
Keywords: sec-high
Gary, I was unable to reproduce this yesterday. Which Clang version are you using?
$ clang --version
Apple LLVM version 4.2 (clang-425.0.28) (based on LLVM 3.2svn)
Target: x86_64-apple-darwin12.4.0
Thread model: posix

I couldn't reproduce this today either, not even with the original changeset. Does the stack help? If not, I guess we can call this WFM.
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)
> I couldn't reproduce this today either, not even with the original
> changeset. Does the stack help? If not, I guess we can call this WFM.

Bug 885648 might have fixed this, it's also related to marking generator frames... If we both can't reproduce it I think we should close it as WFM.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: