[Webkit-unassigned] [Bug 144027] New: JSC_logGC=2 fails with assertion failure on trunk.

Tue Apr 21 17:58:15 PDT 2015

https://bugs.webkit.org/show_bug.cgi?id=144027

            Bug ID: 144027
           Summary: JSC_logGC=2 fails with assertion failure on trunk.
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

When running with JSC_logGC=2 on a debug build of trunk (r183084), I'm now getting the following assertion failure:

ASSERTION FAILED: m_gcData == (remembered ? Marked : MarkedAndRemembered)
/Volumes/Data/ws3/OpenSource/Source/JavaScriptCore/runtime/JSCell.h(163) : void JSC::JSCell::setRemembered(bool)
Process 82807 stopped
* thread #1: tid = 0x1010a7a, 0x0000000103cda32a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
    frame #0: 0x0000000103cda32a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321
   318             globalHook();
   319     
   320         WTFReportBacktrace();
-> 321         *(int *)(uintptr_t)0xbbadbeef = 0;
   322         // More reliable, but doesn't say BBADBEEF.
   323     #if COMPILER(CLANG) || COMPILER(GCC)
   324         __builtin_trap();
(lldb) bt 10
* thread #1: tid = 0x1010a7a, 0x0000000103cda32a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
  * frame #0: 0x0000000103cda32a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:321
    frame #1: 0x00000001037fa216 JavaScriptCore`JSC::JSCell::setRemembered(this=0x000000011a08de70, remembered=true) + 86 at JSCell.h:163
    frame #2: 0x0000000103bde9dc JavaScriptCore`JSC::LoggingFunctor::reviveCells(this=0x00007fff5f81b790) + 236 at GCLogging.cpp:92
    frame #3: 0x0000000103bde8c9 JavaScriptCore`JSC::LoggingFunctor::~LoggingFunctor(this=0x00007fff5f81b790) + 25 at GCLogging.cpp:63
    frame #4: 0x0000000103bde705 JavaScriptCore`JSC::LoggingFunctor::~LoggingFunctor(this=0x00007fff5f81b790) + 21 at GCLogging.cpp:62
    frame #5: 0x0000000103bde41c JavaScriptCore`JSC::GCLogging::dumpObjectGraph(heap=0x000000011a026198) + 108 at GCLogging.cpp:112
    frame #6: 0x00000001037f6749 JavaScriptCore`JSC::Heap::didFinishCollection(this=0x000000011a026198, gcStartTime=885198.95418514905) + 233 at Heap.cpp:1326
    frame #7: 0x00000001037f5a32 JavaScriptCore`JSC::Heap::collectImpl(this=0x000000011a026198, collectionType=AnyCollection, stackOrigin=0x00007fff5fc00000, stackTop=0x00007fff5f81b998, calleeSavedRegisters=0x00007fff5f81b9b0) [37]) + 1458 at Heap.cpp:1095
    frame #8: 0x00000001037f543d JavaScriptCore`JSC::Heap::collect(this=0x000000011a026198, collectionType=AnyCollection) + 141 at Heap.cpp:1018
    frame #9: 0x00000001032f1167 JavaScriptCore`JSC::Heap::collectIfNecessaryOrDefer(this=0x000000011a026198) + 87 at HeapInlines.h:326

I got the above trace with JSC_useJIT=0 JSC_verifyHeap=1 JSC_logGC=2 JSC_useZombieMode=1 JSC_numberOfGCMarkers=1.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150422/3e375a05/attachment.html>