The default bug view has changed. See this FAQ.

TI: Assertion failure: isOwned(), at ../../jsscope.h:414

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Trunk
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 566495 [details]
Testcase for shell

The attached testcase asserts on jaegermonkey revision 07c668448519 (run with -m -n -a), tested on 64 bit.
(Reporter)

Comment 1

6 years ago
@bhackett: This might be the memory corruption we've been looking for and that I haven't been able to isolate in previous tests. During minimization the assert changed frequently (including the "addr % Cell::CellSize == 0" assertion), so it's likely that this is the same issue.
(In reply to Christian Holler (:decoder) from comment #1)
> @bhackett: This might be the memory corruption we've been looking for and
> that I haven't been able to isolate in previous tests. During minimization
> the assert changed frequently (including the "addr % Cell::CellSize == 0"
> assertion), so it's likely that this is the same issue.

Hurray! I've seen that Cell::CellSize assert too with not-so-reproducible testcases, so nice to see this almost nailed down.
Attachment #566495 - Attachment mime type: text/plain → application/x-gzip
Created attachment 566841 [details] [diff] [review]
patch

While converting objects to dictionary mode, the object was in an inconsistent state which could be observed by the GC --- the object appeared to be a dictionary, but its last property did not own its base shape nor have its slot span set.  While converting, the GC should only see the initial state for the object.  The fix maintains a stack variable with the dictionary as it is created, and once creation is finished the list is (infallibly) moved to the object and its slot span updated.

https://hg.mozilla.org/projects/jaegermonkey/rev/01a5df36675f
Attachment #566841 - Flags: review?(luke)

Updated

6 years ago
Attachment #566841 - Flags: review?(luke) → review+
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.