Closed Bug 693966 Opened 10 years ago Closed 10 years ago

TI: Assertion failure: isOwned(), at ../../jsscope.h:414

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

Attached file Testcase for shell
The attached testcase asserts on jaegermonkey revision 07c668448519 (run with -m -n -a), tested on 64 bit.
@bhackett: This might be the memory corruption we've been looking for and that I haven't been able to isolate in previous tests. During minimization the assert changed frequently (including the "addr % Cell::CellSize == 0" assertion), so it's likely that this is the same issue.
(In reply to Christian Holler (:decoder) from comment #1)
> @bhackett: This might be the memory corruption we've been looking for and
> that I haven't been able to isolate in previous tests. During minimization
> the assert changed frequently (including the "addr % Cell::CellSize == 0"
> assertion), so it's likely that this is the same issue.

Hurray! I've seen that Cell::CellSize assert too with not-so-reproducible testcases, so nice to see this almost nailed down.
Attachment #566495 - Attachment mime type: text/plain → application/x-gzip
Attached patch patchSplinter Review
While converting objects to dictionary mode, the object was in an inconsistent state which could be observed by the GC --- the object appeared to be a dictionary, but its last property did not own its base shape nor have its slot span set.  While converting, the GC should only see the initial state for the object.  The fix maintains a stack variable with the dictionary as it is created, and once creation is finished the list is (infallibly) moved to the object and its slot span updated.

https://hg.mozilla.org/projects/jaegermonkey/rev/01a5df36675f
Attachment #566841 - Flags: review?(luke)
Attachment #566841 - Flags: review?(luke) → review+
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.