Bug 144027

Summary: JSC_logGC=2 fails with assertion failure on trunk.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: ASSIGNED ---    
Severity: Normal CC: basile_clement, benjamin, fpizlo, ggaren, mhahnenb, mmirman, msaboff, saam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Description Mark Lam 2015-04-21 17:58:15 PDT 
When running with JSC_logGC=2 on a debug build of trunk (r183084), I'm now getting the following assertion failure:

ASSERTION FAILED: m_gcData == (remembered ? Marked : MarkedAndRemembered)
/Volumes/Data/ws3/OpenSource/Source/JavaScriptCore/runtime/JSCell.h(163) : void JSC::JSCell::setRemembered(bool)
Process 82807 stopped
* thread #1: tid = 0x1010a7a, 0x0000000103cda32a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
    frame #0: 0x0000000103cda32a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321
   318 	        globalHook();
   319 	
   320 	    WTFReportBacktrace();
-> 321 	    *(int *)(uintptr_t)0xbbadbeef = 0;
   322 	    // More reliable, but doesn't say BBADBEEF.
   323 	#if COMPILER(CLANG) || COMPILER(GCC)
   324 	    __builtin_trap();
(lldb) bt 10
* thread #1: tid = 0x1010a7a, 0x0000000103cda32a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
  * frame #0: 0x0000000103cda32a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321
    frame #1: 0x00000001037fa216 JavaScriptCore`JSC::JSCell::setRemembered(this=0x000000011a08de70, remembered=true) + 86 at JSCell.h:163
    frame #2: 0x0000000103bde9dc JavaScriptCore`JSC::LoggingFunctor::reviveCells(this=0x00007fff5f81b790) + 236 at GCLogging.cpp:92
    frame #3: 0x0000000103bde8c9 JavaScriptCore`JSC::LoggingFunctor::~LoggingFunctor(this=0x00007fff5f81b790) + 25 at GCLogging.cpp:63
    frame #4: 0x0000000103bde705 JavaScriptCore`JSC::LoggingFunctor::~LoggingFunctor(this=0x00007fff5f81b790) + 21 at GCLogging.cpp:62
    frame #5: 0x0000000103bde41c JavaScriptCore`JSC::GCLogging::dumpObjectGraph(heap=0x000000011a026198) + 108 at GCLogging.cpp:112
    frame #6: 0x00000001037f6749 JavaScriptCore`JSC::Heap::didFinishCollection(this=0x000000011a026198, gcStartTime=885198.95418514905) + 233 at Heap.cpp:1326
    frame #7: 0x00000001037f5a32 JavaScriptCore`JSC::Heap::collectImpl(this=0x000000011a026198, collectionType=AnyCollection, stackOrigin=0x00007fff5fc00000, stackTop=0x00007fff5f81b998, calleeSavedRegisters=0x00007fff5f81b9b0) [37]) + 1458 at Heap.cpp:1095
    frame #8: 0x00000001037f543d JavaScriptCore`JSC::Heap::collect(this=0x000000011a026198, collectionType=AnyCollection) + 141 at Heap.cpp:1018
    frame #9: 0x00000001032f1167 JavaScriptCore`JSC::Heap::collectIfNecessaryOrDefer(this=0x000000011a026198) + 87 at HeapInlines.h:326

I got the above trace with JSC_useJIT=0 JSC_verifyHeap=1 JSC_logGC=2 JSC_useZombieMode=1 JSC_numberOfGCMarkers=1.