Closed
Bug 773588
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: [barrier verifier] Unmarked edge: <unknown>, at jsgc.cpp:4711
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox16 | --- | unaffected |
| firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
(deleted),
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on ionmonkey revision a29f6c635516 (run with --ion -n -m --ion-eager):
gcPreserveCode()
gczeal(4);
function f() {
var a = [], i, N = 10;
for (i = 0; i < N; i++)
a[i] = {
m: function() { return 0; },
m: function() { return (false ); }
};
schedulegc(10);
assertEq(f(), 1);
}
f();
|
Assignee | |
Updated•12 years ago
|
Assignee: general → dvander
Status: NEW → ASSIGNED
Hardware: x86 → x86_64
|
|
Assignee | |
Comment 1•12 years ago
|
||
INITPROP can initialize the same element twice, meaning we may need a write barrier.
Attachment #642811 -
Flags: review?(jdemooij)
|
|
Assignee | |
Comment 2•12 years ago
|
||
CC'ing Bill and Brian since I think JM+TI might have the same bug, but I can't reproduce it with this test case.
I tried to write a JM test case for this, but for some reason gczeal(4) seems to be totally disabling the methodjit. That didn't used to happen. I'll look into it tomorrow.
|
||
Comment 4•12 years ago
|
||
Comment on attachment 642811 [details] [diff] [review]
fix
Review of attachment 642811 [details] [diff] [review]:
-----------------------------------------------------------------
Please add the testcase too, or do you want to do that after JM is fixed?
Attachment #642811 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 5•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/699ab277c0b8 (test case unfortunately iloops)
Bill, should I keep this open or file a separate bug for JM?
Blocks: 774859
I cloned this into bug 774859.
|
|
Assignee | |
Comment 7•12 years ago
|
||
Thanks!
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox16:
--- → unaffected
|
Reporter | |
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 8•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•