Closed
Bug 580694
Opened 14 years ago
Closed 14 years ago
JM: "Assertion failure: kind == GetFinalizableThingTraceKind(str),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: adrake)
References
Details
(Keywords: assertion, regression, testcase)
Attachments
(1 file, 1 obsolete file)
|
(deleted),
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
function f3() {
try {
v = f()
} catch (r) {}
}
function f1(a, t) {
f2(f, a)
}
function f2() {
u = uneval()
}
f = (function () {
Proxy((function () {})(gc()), [])
})
a = ""
f1()
f3(f, a)
asserts js debug shell on JM changeset 7c6f62fcbd91 with -m at Assertion failure: kind == GetFinalizableThingTraceKind(str), at ../jsgc.cpp:2190
|
Assignee | |
Comment 1•14 years ago
|
||
This is a result of torn values on the stack. There is now a patch in my queue that syncs type whenever data is synced, and it fixes this bug, as well as the simpler test case:
function die() {
var a = [];
var b = [];
var c = a + b;
c = ({ });
gc();
}
die();
Assignee: general → adrake
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 2•14 years ago
|
||
Attachment #459606 -
Flags: review?(dvander)
|
|
Assignee | |
Comment 3•14 years ago
|
||
Attachment #459606 -
Attachment is obsolete: true
Attachment #459610 -
Flags: review?(dvander)
Attachment #459606 -
Flags: review?(dvander)
Comment on attachment 459610 [details] [diff] [review]
Band-aid patch: now with more context!
I think we need something in `::sync() const` as well... band-aid fine for now since we want conservative GC.
Attachment #459610 -
Flags: review?(dvander) → review+
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Comment 6•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•