144027 2015-04-21 17:58:15 -0700 JSC_logGC=2 fails with assertion failure on trunk. 2015-04-21 17:59:24 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified ASSIGNED P2 Normal --- 1 mark.lam mark.lam basile_clement benjamin fpizlo ggaren mhahnenb mmirman msaboff saam oldest_to_newest 1087258 0 mark.lam 2015-04-21 17:58:15 -0700 When running with JSC_logGC=2 on a debug build of trunk (r183084), I'm now getting the following assertion failure: ASSERTION FAILED: m_gcData == (remembered ? Marked : MarkedAndRemembered) /Volumes/Data/ws3/OpenSource/Source/JavaScriptCore/runtime/JSCell.h(163) : void JSC::JSCell::setRemembered(bool) Process 82807 stopped * thread #1: tid = 0x1010a7a, 0x0000000103cda32a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) frame #0: 0x0000000103cda32a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321 318 globalHook(); 319 320 WTFReportBacktrace(); -> 321 *(int *)(uintptr_t)0xbbadbeef = 0; 322 // More reliable, but doesn't say BBADBEEF. 323 #if COMPILER(CLANG) || COMPILER(GCC) 324 __builtin_trap(); (lldb) bt 10 * thread #1: tid = 0x1010a7a, 0x0000000103cda32a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) * frame #0: 0x0000000103cda32a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321 frame #1: 0x00000001037fa216 JavaScriptCore`JSC::JSCell::setRemembered(this=0x000000011a08de70, remembered=true) + 86 at JSCell.h:163 frame #2: 0x0000000103bde9dc JavaScriptCore`JSC::LoggingFunctor::reviveCells(this=0x00007fff5f81b790) + 236 at GCLogging.cpp:92 frame #3: 0x0000000103bde8c9 JavaScriptCore`JSC::LoggingFunctor::~LoggingFunctor(this=0x00007fff5f81b790) + 25 at GCLogging.cpp:63 frame #4: 0x0000000103bde705 JavaScriptCore`JSC::LoggingFunctor::~LoggingFunctor(this=0x00007fff5f81b790) + 21 at GCLogging.cpp:62 frame #5: 0x0000000103bde41c JavaScriptCore`JSC::GCLogging::dumpObjectGraph(heap=0x000000011a026198) + 108 at GCLogging.cpp:112 frame #6: 0x00000001037f6749 JavaScriptCore`JSC::Heap::didFinishCollection(this=0x000000011a026198, gcStartTime=885198.95418514905) + 233 at Heap.cpp:1326 frame #7: 0x00000001037f5a32 JavaScriptCore`JSC::Heap::collectImpl(this=0x000000011a026198, collectionType=AnyCollection, stackOrigin=0x00007fff5fc00000, stackTop=0x00007fff5f81b998, calleeSavedRegisters=0x00007fff5f81b9b0) [37]) + 1458 at Heap.cpp:1095 frame #8: 0x00000001037f543d JavaScriptCore`JSC::Heap::collect(this=0x000000011a026198, collectionType=AnyCollection) + 141 at Heap.cpp:1018 frame #9: 0x00000001032f1167 JavaScriptCore`JSC::Heap::collectIfNecessaryOrDefer(this=0x000000011a026198) + 87 at HeapInlines.h:326 I got the above trace with JSC_useJIT=0 JSC_verifyHeap=1 JSC_logGC=2 JSC_useZombieMode=1 JSC_numberOfGCMarkers=1.