Last Comment Bug 688939 - Assertion failure: script->ownerObject == owner, at jsscript.cpp:309
: Assertion failure: script->ownerObject == owner, at jsscript.cpp:309
Status: RESOLVED FIXED
js-triage-done
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla10
Assigned To: Bill McCloskey (:billm)
:
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-09-23 21:51 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:38 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Attachments
fix (10.34 KB, patch)
2011-09-26 10:54 PDT, Bill McCloskey (:billm) 		dmandelin: review+
Details | Diff | Splinter Review
View All Add an attachment (proposed patch, testcase, etc.)

Description Christian Holler (:decoder) 2011-09-23 21:51:04 PDT 
The following test asserts on mozilla-central revision 959c1e6bdb11 (options -m -n -a):


gczeal(2);
string=""
for (var i = 0; i < 100; i++ )
  hex=newGlobal('same-compartment');


S-s for now because this is GC related.
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2011-09-24 03:53:24 PDT 
I got this too in jsfunfuzz.
Comment 2 Jesse Ruderman 2011-09-24 11:20:55 PDT 
And I get this in the browser with RandomJS. (My testcase also uses gczeal.)
Comment 3 Bill McCloskey (:billm) 2011-09-26 10:54:36 PDT 
Created attachment 562481 [details] [diff] [review]
fix

This was a bogus assertion, unfortunately. The setOwnerObject call was supposed to happen right after setting u.i.script. But that inadvertently got broken in a few places. I've added a setter to make it less likely for this to happen again.
Comment 4 Bill McCloskey (:billm) 2011-09-26 10:56:00 PDT 
Also, not S-S. Except for the assertion, the code was fine.
Comment 6 Ed Morley [:emorley] 2011-10-06 03:42:47 PDT 
https://hg.mozilla.org/mozilla-central/rev/f7cf12c7ae38
Comment 7 Christian Holler (:decoder) 2013-01-14 08:38:16 PST 
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug688939.js.
Note You need to log in before you can comment on or make changes to this bug.