x = function() {}; y = new WeakMap; selectforgc({});; y.set(x, Symbol()); asserts js debug shell on m-c changeset 1dc6b294800d with --ion-eager --ion-offthread-compile=off at Assertion failure: kind == MapAllocToTraceKind(cell->tenuredGetAllocKind()), at gc/Marking.cpp My configure flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options> === Tinderbox Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20140623115045" and the hash "611283da02bf". The "bad" changeset has the timestamp "20140623122048" and the hash "cd2894ed2c76". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=611283da02bf&tochange=cd2894ed2c76 Jason, I set this to s-s but I'm not sure what its security rating should be, as it involves selectforgc. I'm also guessing bug 645416 might be related.

It looks like weak map key marking is interacting badly with symbols somehow.

Run with --ion-eager --ion-offthread-compile=off on an opt build. This may be accessing 0x4f4f4f4ffffff000. Configuration parameters: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>

What's happening is that we put a symbol value into the weak map, but when we come to mark it it's tagged as an object! I don't understand how this is possible.

This sounds bad, so I'm marking it critical.

IsValueMarked() and IsValueAboutToBeFinalized() needed updating to know about symbols.

Comment on attachment 8456811 [details] [diff] [review] bug1035371-symbol-crash Review of attachment 8456811 [details] [diff] [review]: ----------------------------------------------------------------- Thanks! ::: js/src/gc/Marking.cpp @@ +728,5 @@ > JS_ASSERT(v->toGCThing()); > void *thing = v->toGCThing(); > trc->setTracingLocation((void *)v); > MarkKind(trc, &thing, v->gcKind()); > if (v->isString()) Don't forget to brace the first block as well.

JSBugMon: This bug has been automatically verified fixed.