Bug 144027
| Summary: | JSC_logGC=2 fails with assertion failure on trunk. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Mark Lam <mark.lam> |
| Component: | JavaScriptCore | Assignee: | Mark Lam <mark.lam> |
| Status: | ASSIGNED | ||
| Severity: | Normal | CC: | basile_clement, benjamin, fpizlo, ggaren, mhahnenb, mmirman, msaboff, saam |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Mark Lam
When running with JSC_logGC=2 on a debug build of trunk (r183084), I'm now getting the following assertion failure:
ASSERTION FAILED: m_gcData == (remembered ? Marked : MarkedAndRemembered)
/Volumes/Data/ws3/OpenSource/Source/JavaScriptCore/runtime/JSCell.h(163) : void JSC::JSCell::setRemembered(bool)
Process 82807 stopped
* thread #1: tid = 0x1010a7a, 0x0000000103cda32a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
frame #0: 0x0000000103cda32a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321
318 globalHook();
319
320 WTFReportBacktrace();
-> 321 *(int *)(uintptr_t)0xbbadbeef = 0;
322 // More reliable, but doesn't say BBADBEEF.
323 #if COMPILER(CLANG) || COMPILER(GCC)
324 __builtin_trap();
(lldb) bt 10
* thread #1: tid = 0x1010a7a, 0x0000000103cda32a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
* frame #0: 0x0000000103cda32a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321
frame #1: 0x00000001037fa216 JavaScriptCore`JSC::JSCell::setRemembered(this=0x000000011a08de70, remembered=true) + 86 at JSCell.h:163
frame #2: 0x0000000103bde9dc JavaScriptCore`JSC::LoggingFunctor::reviveCells(this=0x00007fff5f81b790) + 236 at GCLogging.cpp:92
frame #3: 0x0000000103bde8c9 JavaScriptCore`JSC::LoggingFunctor::~LoggingFunctor(this=0x00007fff5f81b790) + 25 at GCLogging.cpp:63
frame #4: 0x0000000103bde705 JavaScriptCore`JSC::LoggingFunctor::~LoggingFunctor(this=0x00007fff5f81b790) + 21 at GCLogging.cpp:62
frame #5: 0x0000000103bde41c JavaScriptCore`JSC::GCLogging::dumpObjectGraph(heap=0x000000011a026198) + 108 at GCLogging.cpp:112
frame #6: 0x00000001037f6749 JavaScriptCore`JSC::Heap::didFinishCollection(this=0x000000011a026198, gcStartTime=885198.95418514905) + 233 at Heap.cpp:1326
frame #7: 0x00000001037f5a32 JavaScriptCore`JSC::Heap::collectImpl(this=0x000000011a026198, collectionType=AnyCollection, stackOrigin=0x00007fff5fc00000, stackTop=0x00007fff5f81b998, calleeSavedRegisters=0x00007fff5f81b9b0) [37]) + 1458 at Heap.cpp:1095
frame #8: 0x00000001037f543d JavaScriptCore`JSC::Heap::collect(this=0x000000011a026198, collectionType=AnyCollection) + 141 at Heap.cpp:1018
frame #9: 0x00000001032f1167 JavaScriptCore`JSC::Heap::collectIfNecessaryOrDefer(this=0x000000011a026198) + 87 at HeapInlines.h:326
I got the above trace with JSC_useJIT=0 JSC_verifyHeap=1 JSC_logGC=2 JSC_useZombieMode=1 JSC_numberOfGCMarkers=1.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |