Closed Bug 886560 Opened 11 years ago Closed 11 years ago

GenerationalGC: Assertion failure: !IsInsideNursery(thing->runtime(), thing), at gc/Marking.cpp:729

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla25

People

(Reporter: decoder, Assigned: terrence)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:ignore])

Attachments

(1 file)

v0
3.29 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central built with --enable-exact-rooting --enable-gcgenerational, revision 76820c6dff7b (run with --fuzzing-safe):


setObjectMetadataCallback(function(obj) {
    var res = {};
    return res;
  });
gczeal(4);
x();
Attached patch v0Splinter Review 
PushMarkStack for BaseShape unpacks its children directly onto the mark stack. For a pre-barrier between incremental slices, this may result in objects in the nursery getting pushed onto the mark stack. It is safe to ignore these objects because they will be marked by the matching post-barrier during the minor GC at the start of each incremental slice.

PushMarkStack(JSObject*) is incredibly hot during mark-and-sweep, so I split out a separate function that loosens the assertion and does the extra IsInRuntime check only for the relevant objects. The [Lazy]Script cases do not have this problem because they call MarkChildren, which calls MarkObject, which calls MarkInternal, which already excludes nursery items.
Assignee: general → terrence
Status: NEW → ASSIGNED
Attachment #767479 - Flags: review?(bhackett1024)
Attachment #767479 - Flags: review?(bhackett1024) → review+
Flags: in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/f203d20f1096
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Depends on: 891306
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: