693966 - TI: Assertion failure: isOwned(), at ../../jsscope.h:414

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

Attachment: Testcase for shell

The attached testcase asserts on jaegermonkey revision 07c668448519 (run with -m -n -a), tested on 64 bit.

Comment 1

[Christian Holler (:decoder)]

@bhackett: This might be the memory corruption we've been looking for and that I haven't been able to isolate in previous tests. During minimization the assert changed frequently (including the "addr % Cell::CellSize == 0" assertion), so it's likely that this is the same issue.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to Christian Holler (:decoder) from comment #1)
> @bhackett: This might be the memory corruption we've been looking for and
> that I haven't been able to isolate in previous tests. During minimization
> the assert changed frequently (including the "addr % Cell::CellSize == 0"
> assertion), so it's likely that this is the same issue.

Hurray! I've seen that Cell::CellSize assert too with not-so-reproducible testcases, so nice to see this almost nailed down.

Comment 3

[Brian Hackett [Laid off!]]

Attachment: patch

While converting objects to dictionary mode, the object was in an inconsistent state which could be observed by the GC --- the object appeared to be a dictionary, but its last property did not own its base shape nor have its slot span set.  While converting, the GC should only see the initial state for the object.  The fix maintains a stack variable with the dictionary as it is created, and once creation is finished the list is (infallibly) moved to the object and its slot span updated.

https://hg.mozilla.org/projects/jaegermonkey/rev/01a5df36675f