159588 – ASSERTION FAILED: Heap::isMarked(cell) in SlotVisitor::appendToMarkStack(JSC::JSCell *)

Bug 159588 - ASSERTION FAILED: Heap::isMarked(cell) in SlotVisitor::appendToMarkStack(JSC::JSCell *)

Summary: ASSERTION FAILED: Heap::isMarked(cell) in SlotVisitor::appendToMarkStack(JSC:...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-07-08 16:54 PDT by Michael Saboff
Modified:	2016-07-08 17:25 PDT (History)
CC List:	6 users (show)

See Also:

Attachments
Patch (1.83 KB, patch) 2016-07-08 17:00 PDT, Michael Saboff	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2016-07-08 16:54:23 PDT

Here is the stack trace from within the debugger:
(lldb) btjs
* thread #1: tid = 0x1ca2eee, 0x00000001086ca294, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, addre\320
1
    frame #0: 0x00000001086ca294 JavaScriptCore`::WTFCrash() + 36 at Assertions.cpp:323
    frame #1: 0x00000001084f58d0 JavaScriptCore`JSC::SlotVisitor::appendToMarkStack(this=0x0000000104ff5498, cell=0x0000000106877490) + 80 at SlotVisitor.cpp:176
    frame #2: 0x0000000107f9e45b JavaScriptCore`JSC::Heap::addToRememberedSet(this=0x0000000104ff1018, cell=0x0000000106877490) + 251 at Heap.cpp:1085
    frame #3: 0x00000001077ebced JavaScriptCore`JSC::Heap::writeBarrier(this=0x0000000104ff1018, from=0x0000000106877490) + 237 at HeapInlines.h:121
    frame #4: 0x0000000107e7cfc0 JavaScriptCore`JSC::ScriptExecutable::installCode(this=0x0000000106877490, vm=0x0000000104ff1000, genericCodeBlock=0x000000010686b280, codeType=FunctionCode, kind=CodeForCall) + 1744 at Executable.cpp:266
    frame #5: 0x000000010797d341 JavaScriptCore`JSC::CodeBlock::jettison(this=0x0000000106845e40, reason=JettisonDueToUnprofiledWatchpoint, mode=CountReoptimization, detail=0x00007fff5b2564e8) + 1569 at CodeBlock.cpp:3481
    frame #6: 0x00000001079a8682 JavaScriptCore`JSC::CodeBlockJettisoningWatchpoint::fireInternal(this=0x000000010dbfb9d8, detail=0x00007fff5b2564e8) + 130 at CodeBlockJettisoningWatchpoint.cpp:40
    frame #7: 0x00000001086796d2 JavaScriptCore`JSC::Watchpoint::fire(this=0x000000010dbfb9d8, detail=0x00007fff5b2564e8) + 114 at Watchpoint.cpp:56
    frame #8: 0x0000000108679d28 JavaScriptCore`JSC::WatchpointSet::fireAllWatchpoints(this=0x000000010dbfbc30, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 408 at Watchpoint.cpp:131
    frame #9: 0x0000000108679b84 JavaScriptCore`JSC::WatchpointSet::fireAllSlow(this=0x000000010dbfbc30, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 116 at Watchpoint.cpp:92
    frame #10: 0x00000001079037a0 JavaScriptCore`JSC::WatchpointSet::fireAll(this=0x000000010dbfbc30, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 80 at Watchpoint.h:160
    frame #11: 0x000000010790373e JavaScriptCore`JSC::WatchpointSet::invalidate(this=0x000000010dbfbc30, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 62 at Watchpoint.h:186
    frame #12: 0x0000000107fc502a JavaScriptCore`JSC::InlineWatchpointSet::invalidate(this=0x000000010683eae8, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 74 at Watchpoint.h:315
    frame #13: 0x0000000107fc4d1b JavaScriptCore`JSC::InferredValue::invalidate(this=0x000000010683eae0, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 75 at InferredValue.h:94
    frame #14: 0x0000000107fc4fd0 JavaScriptCore`JSC::InferredValue::ValueCleanup::finalizeUnconditionally(this=0x0000000104d1bed0) + 304 at InferredValue.cpp:128
    frame #15: 0x00000001084f7448 JavaScriptCore`JSC::SlotVisitor::finalizeUnconditionalFinalizers(this=0x0000000104ff5498) + 88 at SlotVisitor.cpp:460
    frame #16: 0x0000000107f9a9db JavaScriptCore`JSC::Heap::finalizeUnconditionalFinalizers(this=0x0000000104ff1018) + 43 at Heap.cpp:486
    frame #17: 0x0000000107f9eba6 JavaScriptCore`JSC::Heap::collectImpl(this=0x0000000104ff1018, collectionType=FullCollection, stackOrigin=0x00007fff5b259000, stackTop=0x00007fff5b256718, calleeSavedRegisters=0x00007fff5b256730) [37]) + 1478 at Heap.cpp:1179
    frame #18: 0x0000000107f9e59d JavaScriptCore`JSC::Heap::collect(this=0x0000000104ff1018, collectionType=FullCollection) + 141 at Heap.cpp:1107
    frame #19: 0x0000000107f9e4c5 JavaScriptCore`JSC::Heap::collectAndSweep(this=0x0000000104ff1018, collectionType=FullCollection) + 53 at Heap.cpp:1093
    frame #20: 0x00000001049aac0a jsc`JSC::Heap::collectAllGarbage(this=0x0000000104ff1018) + 26 at Heap.h:168
    frame #21: 0x00000001049b50ed jsc`functionGCAndSweep(exec=0x00007fff5b256860) + 45 at jsc.cpp:1326
    frame #22: 0x000044fcad601028
    frame #23: 0x00000001082f7e0c JavaScriptCore`llint_entry + 28040 at LowLevelInterpreter.asm:753
    frame #24: 0x000044fcad628635
    frame #25: 0x000044fcad61fdf1
    frame #26: 0x00000001082f7e0c JavaScriptCore`llint_entry + 28040 at LowLevelInterpreter.asm:753
    frame #27: 0x00000001082f0e6e JavaScriptCore`vmEntryToJavaScript + 334 at LowLevelInterpreter64.asm:253
    frame #28: 0x00000001080e7f77 JavaScriptCore`JSC::JITCode::execute(this=0x0000000104d979b0, vm=0x0000000104ff1000, protoCallFrame=0x00007fff5b256d18) + 215 at JITCode.cpp:80
    frame #29: 0x00000001080754ce JavaScriptCore`JSC::Interpreter::execute(this=0x0000000104df20b0, program=0x000000010579ff70, callFrame=0x00000001057e3940, thisObj=0x00000001057aba40) + 4270 at Interpreter.cpp:961
    frame #30: 0x0000000107a04d2d JavaScriptCore`JSC::evaluate(exec=0x00000001057e3940, source=0x00007fff5b258298, thisValue=JSValue @ 0x00007fff5b2581a0, returnedException=0x00007fff5b2582b8) + 477 at Completion.cpp:107
    frame #31: 0x00000001049b2b31 jsc`runWithScripts(globalObject=0x00000001057e3900, scripts={ size = 1, capacity = 0 }, uncaughtExceptionName={ length = 0, contents = '' }, dump=false, module=false) + 1329 at jsc.cpp:2101
    frame #32: 0x00000001049aa6ee jsc`runJSC(vm=0x0000000104ff1000, options=CommandLine @ 0x00007fff5b258828) + 1326 at jsc.cpp:2348
    frame #33: 0x00000001049a94ba jsc`jscmain(argc=2, argv=0x00007fff5b258938) + 138 at jsc.cpp:2401
    frame #34: 0x00000001049a9326 jsc`main(argc=2, argv=0x00007fff5b258938) + 166 at jsc.cpp:1983
    frame #35: 0x00007fffdd7d4255 libdyld.dylib`start + 1
    frame #36: 0x00007fffdd7d4255 libdyld.dylib`start + 1

Comment 1 Michael Saboff 2016-07-08 16:54:53 PDT

<rdar://problem/27211757>

Comment 2 Michael Saboff 2016-07-08 17:00:53 PDT

Created attachment 283226 [details]
Patch

Comment 3 Geoffrey Garen 2016-07-08 17:02:26 PDT

Comment on attachment 283226 [details]
Patch

r=me

Comment 4 Filip Pizlo 2016-07-08 17:13:58 PDT

Comment on attachment 283226 [details]
Patch

Wow, that's incredible!  R=me too!

Comment 5 WebKit Commit Bot 2016-07-08 17:25:04 PDT

Comment on attachment 283226 [details]
Patch

Clearing flags on attachment: 283226

Committed r203012: <http://trac.webkit.org/changeset/203012>

Comment 6 WebKit Commit Bot 2016-07-08 17:25:08 PDT

All reviewed patches have been landed.  Closing bug.