Closed Bug 981295 Opened 6 years ago Closed 6 years ago

GenerationalGC: Assertion failure: !(*thingp)->arenaHeader()->allocatedDuringIncremental, at gc/Marking.cpp:364

Categories

(Core :: JavaScript Engine, defect, major)

x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED
mozilla30

People

(Reporter: decoder, Assigned: terrence)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

The following testcase asserts on mozilla-central built with --enable-exact-rooting --enable-gcgenerational, revision d01bf8596d3b (run with --fuzzing-safe):


var NotEarlyErrorString = "NotEarlyError";
var NotEarlyError = new Error(NotEarlyErrorString);
var juneDate = new Date(2000, 5, 20, 0, 0, 0, 0);
for (var i = 0; i < function(x) myObj(Date.prototype.toString.apply(x)); void i) {
    eval(a.text.replace(/@/g, ""))
}
gcslice(2600);
function testcase() {}
new Uint16Array(testcase);
Since IsAboutToBeFinalized only wants to be called for weak things, it only expects to be called during early sweeping. When we call it during marking, an orthogonal assertion gets confused. Let's just split the implementations: it's not enough code to worry about sharing when the usage is semantically different.
Assignee: nobody → terrence
Status: NEW → ASSIGNED
Attachment #8388783 - Flags: review?(sphink)
Attachment #8388783 - Flags: review?(sphink) → review+
https://hg.mozilla.org/mozilla-central/rev/4801ac283614
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.