Closed
Bug 987467
Opened 11 years ago
Closed 11 years ago
GenerationalGC: Assertion failure: !(*thingp)->arenaHeader()->allocatedDuringIncremental, at gc/Marking.cpp:364
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 986147
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,bisect])
The following testcase asserts on mozilla-central built with --enable-exact-rooting --enable-gcgenerational, revision cf485c48b52f (run with --fuzzing-safe --ion-check-range-analysis):
function compareSource(expect, actual, summary)
replace(/new (\w+)\s*\(\s*\)/mg, 'new $1');
var lfcode = new Array();
lfcode.push("");
lfcode.push("0");
lfcode.push("\
var gTestcases = new Array();\
var setterCalled = false ;\
function TestCase() {}\
Array.prototype.__defineSetter__((2), function() { setterCalled = true; });\
for(var i = 0; i < 20; ++i) {\
var testcase = new TestCase();\
}\
( \"ABCDEFGHIJK\" ) (setterCalled, true);\
");
lfcode.push("\
var recursiveFunctions = [{}];\
(function testAllRecursiveFunctions() {\
for (var [propertyIsEnumerable, gc] = 0 ; i < 0; ++i) \
eval() \
})();\
gcslice(2868);\
");
lfcode.push("var f = new Float64Array([0, 0]); var u = new Uint32Array(f.buffer);");
while (true) {
var file = lfcode.shift(); if (file == undefined) { break; }
loadFile(file)
}
function loadFile(lfVarx) {
try {
if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
switch (lfRunTypeId) {
default: evaluate(lfVarx); break;
}
} else if (!isNaN(lfVarx)) {
lfRunTypeId = parseInt(lfVarx);
}
} catch (lfVare) { }
}
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
Reporter | |
Comment 1•11 years ago
|
||
JSBugMon: Cannot process bug: Unknown exception (check manually)
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
Reporter | |
Comment 2•11 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:update,bisect]
|
||
Comment 3•11 years ago
|
||
Reproduced at original changeset with following output:
Assertion failure: !(*thingp)->arenaHeader()->allocatedDuringIncremental, at /home/jon/work/rooting/js/src/gc/Marking.cpp:364
Catchpoint 1 (signal SIGSEGV), js::gc::IsAboutToBeFinalized<js::ArrayBufferViewObject> (thingp=0x7fffffffe1b0)
at /home/jon/work/rooting/js/src/gc/Marking.cpp:364
364 JS_ASSERT(!(*thingp)->arenaHeader()->allocatedDuringIncremental);
This has been fixed by bug 986147.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•11 years ago
|
Component: JavaScript Engine → JavaScript: GC
You need to log in
before you can comment on or make changes to this bug.
Description
•