-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assertion `!atom_is_free(p)' with -DDUMP_FREE=1 #2
Comments
It's not just string-tagcloud.js, I also hit it with
|
Interestingly, I can no longer reproduce with string-tagcloud.js (or sunspider in general) but |
I observe that Specifically, it's the My hunch is that something somewhere forgets to call JS_DupAtom() but hard to pin down where. |
There is a mode to debug refcounts, maybe that helps? It's commented in quickjs.h |
This one: CONFIG_CHECK_JSVALUE -- I've never tried it though... |
Fixed in #350 |
Moved over from bnoordhuis/quickjit#1. Only seems to happen with string-tagcloud.js from sunspider.
Backtrace looks like this:
And also:
Note to self:
atom=479
with the free flag removed is479 >> 1 == 239
butrt->atom_array[239]
doesn't contain a valid entry either.Interestingly:
It's a use-after-free in the runtime teardown code, i=479:
A short while later it tries to print the function name of the bytecode object but that's the atom that was freed.
The text was updated successfully, but these errors were encountered: