Last Comment Bug 693966 - TI: Assertion failure: isOwned(), at ../../jsscope.h:414
: TI: Assertion failure: isOwned(), at ../../jsscope.h:414
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
:
Mentors:
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-10-12 04:31 PDT by Christian Holler (:decoder)
Modified: 2011-10-13 09:22 PDT (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Testcase for shell (1.08 KB, application/x-gzip)
2011-10-12 04:31 PDT, Christian Holler (:decoder)
no flags Details
patch (799 bytes, patch)
2011-10-13 08:45 PDT, Brian Hackett (:bhackett)
luke: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2011-10-12 04:31:57 PDT
Created attachment 566495 [details]
Testcase for shell

The attached testcase asserts on jaegermonkey revision 07c668448519 (run with -m -n -a), tested on 64 bit.
Comment 1 Christian Holler (:decoder) 2011-10-12 04:34:01 PDT
@bhackett: This might be the memory corruption we've been looking for and that I haven't been able to isolate in previous tests. During minimization the assert changed frequently (including the "addr % Cell::CellSize == 0" assertion), so it's likely that this is the same issue.
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2011-10-12 07:45:52 PDT
(In reply to Christian Holler (:decoder) from comment #1)
> @bhackett: This might be the memory corruption we've been looking for and
> that I haven't been able to isolate in previous tests. During minimization
> the assert changed frequently (including the "addr % Cell::CellSize == 0"
> assertion), so it's likely that this is the same issue.

Hurray! I've seen that Cell::CellSize assert too with not-so-reproducible testcases, so nice to see this almost nailed down.
Comment 3 Brian Hackett (:bhackett) 2011-10-13 08:45:49 PDT
Created attachment 566841 [details] [diff] [review]
patch

While converting objects to dictionary mode, the object was in an inconsistent state which could be observed by the GC --- the object appeared to be a dictionary, but its last property did not own its base shape nor have its slot span set.  While converting, the GC should only see the initial state for the object.  The fix maintains a stack variable with the dictionary as it is created, and once creation is finished the list is (infallibly) moved to the object and its slot span updated.

https://hg.mozilla.org/projects/jaegermonkey/rev/01a5df36675f

Note You need to log in before you can comment on or make changes to this bug.