Closed Bug 987467 Opened 10 years ago Closed 10 years ago

GenerationalGC: Assertion failure: !(*thingp)->arenaHeader()->allocatedDuringIncremental, at gc/Marking.cpp:364

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 986147

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,bisect]) 

The following testcase asserts on mozilla-central built with --enable-exact-rooting --enable-gcgenerational, revision cf485c48b52f (run with --fuzzing-safe --ion-check-range-analysis):


function compareSource(expect, actual, summary)
    replace(/new (\w+)\s*\(\s*\)/mg, 'new $1');
var lfcode = new Array();
lfcode.push("");
lfcode.push("0");
lfcode.push("\
var gTestcases = new Array();\
var setterCalled = false ;\
function TestCase() {}\
Array.prototype.__defineSetter__((2), function() { setterCalled = true; });\
for(var i = 0; i < 20; ++i) {\
    var testcase = new TestCase();\
}\
( \"ABCDEFGHIJK\"   ) (setterCalled, true);\
");
lfcode.push("\
var recursiveFunctions = [{}];\
(function testAllRecursiveFunctions() {\
    for (var [propertyIsEnumerable, gc] = 0 ; i < 0; ++i) \
        eval() \
})();\
gcslice(2868);\
");
lfcode.push("var f = new Float64Array([0, 0]); var u = new Uint32Array(f.buffer);");
while (true) {
	var file = lfcode.shift(); if (file == undefined) { break; }
        loadFile(file)
}
function loadFile(lfVarx) {
    try {
        if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
            switch (lfRunTypeId) {
                default: evaluate(lfVarx); break;
            }
        } else if (!isNaN(lfVarx)) {
            lfRunTypeId = parseInt(lfVarx);
        }
    } catch (lfVare) {    }
}
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unknown exception (check manually)
Whiteboard: [jsbugmon:bisect] → [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Whiteboard: [jsbugmon:] → [jsbugmon:update,bisect]
Reproduced at original changeset with following output:

Assertion failure: !(*thingp)->arenaHeader()->allocatedDuringIncremental, at /home/jon/work/rooting/js/src/gc/Marking.cpp:364

Catchpoint 1 (signal SIGSEGV), js::gc::IsAboutToBeFinalized<js::ArrayBufferViewObject> (thingp=0x7fffffffe1b0)
    at /home/jon/work/rooting/js/src/gc/Marking.cpp:364
364	    JS_ASSERT(!(*thingp)->arenaHeader()->allocatedDuringIncremental);


This has been fixed by bug 986147.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Component: JavaScript Engine → JavaScript: GC
You need to log in before you can comment on or make changes to this bug.