Closed
Bug 732758
Opened 13 years ago
Closed 13 years ago
IonMonkey: "Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(*thingp))," with verifybarriers and gc
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: dvander)
References
Details
(Keywords: assertion, regression, testcase)
Attachments
(2 files, 2 obsolete files)
|
(deleted),
text/plain
|
Details | |
|
(deleted),
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
function tryItOut(code) {
try {
f = Function(code)
} catch (r) {}
v = tryRunning(f, code)
x = String;
for (e in v) {}
}
function tryRunning() {
try {
rv = f();
return rv;
} catch (r) {
x = String;
}
}
__proto__.__defineSetter__("x", function() {});
tryItOut("/()/;\"\"()");
tryItOut("}");
tryItOut("");
tryItOut("o");
tryItOut(")");
tryItOut("(");
tryItOut(")");
tryItOut("}");
tryItOut("}");
tryItOut(")");
tryItOut(")");
tryItOut("");
tryItOut("l;function u(){/j/}");
tryItOut("(");
tryItOut("t");
tryItOut("(");
tryItOut(")");
tryItOut("(");
tryItOut("");
tryItOut("{t:g}");
tryItOut("r");
tryItOut("p");
tryItOut("gc()");
tryItOut("verifybarriers()");
tryItOut("/**/yield");
asserts js debug shell on IonMonkey changeset 1fd6c40d3852 with --ion and -n at Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(*thingp)), testcase is seemingly fragile and must be passed in as a CLI argument to reproduce.
Due to skipped revisions, the first bad revision could be any of:
changeset: 88151:8add57bafb0d
user: David Anderson
date: Tue Feb 21 12:47:02 2012 -0800
summary: Implement IonMonkey write barriers (bug 724875, r=jandem,marty).
changeset: 88152:82c6ca0616d0
user: David Anderson
date: Tue Feb 21 12:48:48 2012 -0800
summary: Work around argument-check bailouts not having a scope chain set (bug 724788, r=jandem).
changeset: 88153:6dd34eec6fbe
user: Nicolas Pierron
date: Tue Feb 21 13:59:08 2012 -0800
summary: Fast version of charAt, charCodeAt and fromCharCode (Bug 718853, r=dvander)
changeset: 88348:61980734d3a2
parent: 88152:82c6ca0616d0
parent: 88347:7dcbce54a953
user: David Anderson
date: Tue Feb 21 15:08:22 2012 -0800
summary: Merge from mozilla-central.
changeset: 88349:5a061abdf807
parent: 88348:61980734d3a2
parent: 88153:6dd34eec6fbe
user: David Anderson
date: Tue Feb 21 15:08:43 2012 -0800
summary: Merge.
changeset: 88350:ca97bbcd6b90
user: David Anderson
date: Tue Feb 21 15:16:23 2012 -0800
summary: Fix some merge fallout.
changeset: 88351:4307162c30b6
user: Nicolas Pierron
date: Tue Feb 21 15:55:40 2012 -0800
summary: Fix OSX: Move explicit template instantiation to CPP file (Bug 718853, r=dvander)
changeset: 88352:70cc24cdd404
user: Nicolas Pierron
date: Tue Feb 21 18:43:53 2012 -0800
summary: Fix OS X compilation, explicitly instantiate the function after its definition. (Bug 718853, r=dvander)
changeset: 88353:acb08144edf1
user: Nicolas Pierron
date: Tue Feb 21 22:06:47 2012 -0800
summary: Implement JSOP_INITELEM. (Bug 691340, r=jandem)
changeset: 88354:14d9f14b129e
user: Jan de Mooij
date: Wed Feb 22 09:46:50 2012 +0100
summary: Fix Clang (and probably also MSVC) errors (no bug, r=red)
|
Reporter | |
Comment 1•13 years ago
|
||
This was found using a combination of jsfunfuzz and jandem's method fuzzer.
|
|
Assignee | |
Comment 2•13 years ago
|
||
|
|
Assignee | |
Comment 3•13 years ago
|
||
Attachment #603568 -
Attachment is obsolete: true
Attachment #603570 -
Flags: review?(wmccloskey)
Attachment #603568 -
Flags: review?(wmccloskey)
|
|
Assignee | |
Comment 4•13 years ago
|
||
Bleh, sorry for spam. hg qfin is beyond broken.
Attachment #603570 -
Attachment is obsolete: true
Attachment #603571 -
Flags: review?(wmccloskey)
Attachment #603570 -
Flags: review?(wmccloskey)
Attachment #603571 -
Flags: review?(wmccloskey) → review+
|
|
Assignee | |
Comment 5•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Comment 6•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug732758.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•