WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
159588
ASSERTION FAILED: Heap::isMarked(cell) in SlotVisitor::appendToMarkStack(JSC::JSCell *)
https://bugs.webkit.org/show_bug.cgi?id=159588
Summary
ASSERTION FAILED: Heap::isMarked(cell) in SlotVisitor::appendToMarkStack(JSC:...
Michael Saboff
Reported
2016-07-08 16:54:23 PDT
Here is the stack trace from within the debugger: (lldb) btjs * thread #1: tid = 0x1ca2eee, 0x00000001086ca294, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, addre\320 1 frame #0: 0x00000001086ca294 JavaScriptCore`::WTFCrash() + 36 at Assertions.cpp:323 frame #1: 0x00000001084f58d0 JavaScriptCore`JSC::SlotVisitor::appendToMarkStack(this=0x0000000104ff5498, cell=0x0000000106877490) + 80 at SlotVisitor.cpp:176 frame #2: 0x0000000107f9e45b JavaScriptCore`JSC::Heap::addToRememberedSet(this=0x0000000104ff1018, cell=0x0000000106877490) + 251 at Heap.cpp:1085 frame #3: 0x00000001077ebced JavaScriptCore`JSC::Heap::writeBarrier(this=0x0000000104ff1018, from=0x0000000106877490) + 237 at HeapInlines.h:121 frame #4: 0x0000000107e7cfc0 JavaScriptCore`JSC::ScriptExecutable::installCode(this=0x0000000106877490, vm=0x0000000104ff1000, genericCodeBlock=0x000000010686b280, codeType=FunctionCode, kind=CodeForCall) + 1744 at Executable.cpp:266 frame #5: 0x000000010797d341 JavaScriptCore`JSC::CodeBlock::jettison(this=0x0000000106845e40, reason=JettisonDueToUnprofiledWatchpoint, mode=CountReoptimization, detail=0x00007fff5b2564e8) + 1569 at CodeBlock.cpp:3481 frame #6: 0x00000001079a8682 JavaScriptCore`JSC::CodeBlockJettisoningWatchpoint::fireInternal(this=0x000000010dbfb9d8, detail=0x00007fff5b2564e8) + 130 at CodeBlockJettisoningWatchpoint.cpp:40 frame #7: 0x00000001086796d2 JavaScriptCore`JSC::Watchpoint::fire(this=0x000000010dbfb9d8, detail=0x00007fff5b2564e8) + 114 at Watchpoint.cpp:56 frame #8: 0x0000000108679d28 JavaScriptCore`JSC::WatchpointSet::fireAllWatchpoints(this=0x000000010dbfbc30, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 408 at Watchpoint.cpp:131 frame #9: 0x0000000108679b84 JavaScriptCore`JSC::WatchpointSet::fireAllSlow(this=0x000000010dbfbc30, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 116 at Watchpoint.cpp:92 frame #10: 0x00000001079037a0 JavaScriptCore`JSC::WatchpointSet::fireAll(this=0x000000010dbfbc30, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 80 at Watchpoint.h:160 frame #11: 0x000000010790373e JavaScriptCore`JSC::WatchpointSet::invalidate(this=0x000000010dbfbc30, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 62 at Watchpoint.h:186 frame #12: 0x0000000107fc502a JavaScriptCore`JSC::InlineWatchpointSet::invalidate(this=0x000000010683eae8, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 74 at Watchpoint.h:315 frame #13: 0x0000000107fc4d1b JavaScriptCore`JSC::InferredValue::invalidate(this=0x000000010683eae0, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 75 at InferredValue.h:94 frame #14: 0x0000000107fc4fd0 JavaScriptCore`JSC::InferredValue::ValueCleanup::finalizeUnconditionally(this=0x0000000104d1bed0) + 304 at InferredValue.cpp:128 frame #15: 0x00000001084f7448 JavaScriptCore`JSC::SlotVisitor::finalizeUnconditionalFinalizers(this=0x0000000104ff5498) + 88 at SlotVisitor.cpp:460 frame #16: 0x0000000107f9a9db JavaScriptCore`JSC::Heap::finalizeUnconditionalFinalizers(this=0x0000000104ff1018) + 43 at Heap.cpp:486 frame #17: 0x0000000107f9eba6 JavaScriptCore`JSC::Heap::collectImpl(this=0x0000000104ff1018, collectionType=FullCollection, stackOrigin=0x00007fff5b259000, stackTop=0x00007fff5b256718, calleeSavedRegisters=0x00007fff5b256730) [37]) + 1478 at Heap.cpp:1179 frame #18: 0x0000000107f9e59d JavaScriptCore`JSC::Heap::collect(this=0x0000000104ff1018, collectionType=FullCollection) + 141 at Heap.cpp:1107 frame #19: 0x0000000107f9e4c5 JavaScriptCore`JSC::Heap::collectAndSweep(this=0x0000000104ff1018, collectionType=FullCollection) + 53 at Heap.cpp:1093 frame #20: 0x00000001049aac0a jsc`JSC::Heap::collectAllGarbage(this=0x0000000104ff1018) + 26 at Heap.h:168 frame #21: 0x00000001049b50ed jsc`functionGCAndSweep(exec=0x00007fff5b256860) + 45 at jsc.cpp:1326 frame #22: 0x000044fcad601028 frame #23: 0x00000001082f7e0c JavaScriptCore`llint_entry + 28040 at LowLevelInterpreter.asm:753 frame #24: 0x000044fcad628635 frame #25: 0x000044fcad61fdf1 frame #26: 0x00000001082f7e0c JavaScriptCore`llint_entry + 28040 at LowLevelInterpreter.asm:753 frame #27: 0x00000001082f0e6e JavaScriptCore`vmEntryToJavaScript + 334 at LowLevelInterpreter64.asm:253 frame #28: 0x00000001080e7f77 JavaScriptCore`JSC::JITCode::execute(this=0x0000000104d979b0, vm=0x0000000104ff1000, protoCallFrame=0x00007fff5b256d18) + 215 at JITCode.cpp:80 frame #29: 0x00000001080754ce JavaScriptCore`JSC::Interpreter::execute(this=0x0000000104df20b0, program=0x000000010579ff70, callFrame=0x00000001057e3940, thisObj=0x00000001057aba40) + 4270 at Interpreter.cpp:961 frame #30: 0x0000000107a04d2d JavaScriptCore`JSC::evaluate(exec=0x00000001057e3940, source=0x00007fff5b258298, thisValue=JSValue @ 0x00007fff5b2581a0, returnedException=0x00007fff5b2582b8) + 477 at Completion.cpp:107 frame #31: 0x00000001049b2b31 jsc`runWithScripts(globalObject=0x00000001057e3900, scripts={ size = 1, capacity = 0 }, uncaughtExceptionName={ length = 0, contents = '' }, dump=false, module=false) + 1329 at jsc.cpp:2101 frame #32: 0x00000001049aa6ee jsc`runJSC(vm=0x0000000104ff1000, options=CommandLine @ 0x00007fff5b258828) + 1326 at jsc.cpp:2348 frame #33: 0x00000001049a94ba jsc`jscmain(argc=2, argv=0x00007fff5b258938) + 138 at jsc.cpp:2401 frame #34: 0x00000001049a9326 jsc`main(argc=2, argv=0x00007fff5b258938) + 166 at jsc.cpp:1983 frame #35: 0x00007fffdd7d4255 libdyld.dylib`start + 1 frame #36: 0x00007fffdd7d4255 libdyld.dylib`start + 1
Attachments
Patch
(1.83 KB, patch)
2016-07-08 17:00 PDT
,
Michael Saboff
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Michael Saboff
Comment 1
2016-07-08 16:54:53 PDT
<
rdar://problem/27211757
>
Michael Saboff
Comment 2
2016-07-08 17:00:53 PDT
Created
attachment 283226
[details]
Patch
Geoffrey Garen
Comment 3
2016-07-08 17:02:26 PDT
Comment on
attachment 283226
[details]
Patch r=me
Filip Pizlo
Comment 4
2016-07-08 17:13:58 PDT
Comment on
attachment 283226
[details]
Patch Wow, that's incredible! R=me too!
WebKit Commit Bot
Comment 5
2016-07-08 17:25:04 PDT
Comment on
attachment 283226
[details]
Patch Clearing flags on attachment: 283226 Committed
r203012
: <
http://trac.webkit.org/changeset/203012
>
WebKit Commit Bot
Comment 6
2016-07-08 17:25:08 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug