Closed Bug 580924 Opened 14 years ago Closed 14 years ago

JM: "Assertion failure: !IsMarkedGCThing(cursor),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase) 

function se()
eo = "fn"
function ha() function () {
    for each(af in a) {}
}
function rt() {
    if (sl) {}
}
function f1(code) {
    var f = eval("(function(){" + code + "})");
    f2(f, code, true)
    try {
        vv = f()
    } catch (or) {}
}
function f2(f, code, t) {
    f3(f, code, t)
}
function cg() {}
function f3(f, wtt) {
    var f, ug = uneval(f)
    if (wtt.eg) {}
}
function he(ce) io(oe, gs)
function ly(tt) {
    if (dg("ee") - 1) for (; il.th;) {}
}
function st() {
    if ("tp" in is) {
        if (wt) {
            if (de) {}
        }
    }
}
function ts(ft) {
    if (0 && ne == NK) {
        if (nt) {}
    }
}
__defineGetter__("x", gc)
f1("\
  for each(c in[\
    x,null,'',null,null,f,\"\",null,null,x,f,false,false,null,null,\"\",'',\"\",'','',null,x\
  ]){}\
")

asserts js debug shell on JM changeset 7c6f62fcbd91 with -m at Assertion failure: isRope(), at ../jsstr.h:371
Works for me on moo tip 64-bit, but fails on 32-bit.
Note that 64-bit currently implies --disable-monoic, --disable-polyic.
Also fails when ICs are disabled.
Now fails only on 32bit, with assertion:

Assertion failure: !IsMarkedGCThing(cursor), at /home/adrake/src/moo/js/src/jsgc.cpp:1231
Confirming comment #4.

Here's another testcase that asserts at Assertion failure: !IsMarkedGCThing(cursor), at ../jsgc.cpp:1208 in 32-bit Linux shell with -m when passed in as a CLI argument:


function g(foo) {
    foo.replace("")
    f = Function(foo)
    f2(f, foo, f)
    f3(f, foo)
}
function f3() {
    try {
        v = f()
    } catch (o) {
        var r = (o)
    }
}
function f2() {
    f4(f)
}
function f4(f, e, t) {
    var g, uf, u
    uf = uneval(f)
    f5(uf)
}
function f5()
__defineGetter__("x", gc)
g("for(let z in[x,0,0,0,0,0,0,x]){}")
Summary: JM: "Assertion failure: isRope()," → JM: "Assertion failure: !IsMarkedGCThing(cursor),"
This was fixed by bug 583084.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.