Last Comment Bug 688939 - Assertion failure: script->ownerObject == owner, at jsscript.cpp:309
: Assertion failure: script->ownerObject == owner, at jsscript.cpp:309
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: mozilla10
Assigned To: Bill McCloskey (:billm)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2011-09-23 21:51 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:38 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

fix (10.34 KB, patch)
2011-09-26 10:54 PDT, Bill McCloskey (:billm)
dmandelin: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2011-09-23 21:51:04 PDT
The following test asserts on mozilla-central revision 959c1e6bdb11 (options -m -n -a):

for (var i = 0; i < 100; i++ )

S-s for now because this is GC related.
Comment 1 User image Gary Kwong [:gkw] [:nth10sd] 2011-09-24 03:53:24 PDT
I got this too in jsfunfuzz.
Comment 2 User image Jesse Ruderman 2011-09-24 11:20:55 PDT
And I get this in the browser with RandomJS. (My testcase also uses gczeal.)
Comment 3 User image Bill McCloskey (:billm) 2011-09-26 10:54:36 PDT
Created attachment 562481 [details] [diff] [review]

This was a bogus assertion, unfortunately. The setOwnerObject call was supposed to happen right after setting u.i.script. But that inadvertently got broken in a few places. I've added a setter to make it less likely for this to happen again.
Comment 4 User image Bill McCloskey (:billm) 2011-09-26 10:56:00 PDT
Also, not S-S. Except for the assertion, the code was fine.
Comment 6 User image Ed Morley [:emorley] 2011-10-06 03:42:47 PDT
Comment 7 User image Christian Holler (:decoder) 2013-01-14 08:38:16 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug688939.js.

Note You need to log in before you can comment on or make changes to this bug.