767973 - IonMonkey: Assertion failure: entry->prop == shape, at jsinterp.cpp:964

Status: RESOLVED DUPLICATE of bug 772303

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

Attachment: Testcase for shell

The attached testcase asserts on ionmonkey revision 2f9a29078126 (run with --ion -n -m).

Comment 1

[Christian Holler (:decoder)]

Note that this bug also reproduces with --no-ion. It also shows Valgrind errors when running in an opt build, like these:


==13246== Conditional jump or move depends on uninitialised value(s)
==13246==    at 0x80B7ABA: PickChunk(JSCompartment*) (jsgc.cpp:628)
==13246==    by 0x80C19F6: js::gc::ArenaLists::refillFreeList(JSContext*, js::gc::AllocKind) (jsgc.cpp:1480)
==13246==    by 0x815CAF3: JSScript::Create(JSContext*, bool, JSPrincipals*, JSPrincipals*, bool, bool, js::GlobalObject*, JSVersion, unsigned int) (jsgcinlines.h:419)
==13246==    by 0x81FBDC1: js::frontend::CompileScript(JSContext*, JSObject*, js::StackFrame*, JSPrincipals*, JSPrincipals*, bool, bool, bool, unsigned short const*, unsigned int, char const*, unsigned int, JSVersion, JSString*, unsigned int) (BytecodeCompiler.cpp:112)


Not sure if this is a problem on ionmonkey only, but it did not reproduce for me on m-c.

Comment 2

[Sean Stangl [:sstangl]]

Can't reproduce with d85ca085f35d (tip).

Comment 3

[Christian Holler (:decoder)]

The test was quite unstable. Were you able to repro on the specified revision?

Comment 4

[Jan de Mooij [:jandem]]

I was able to reproduce this on the revision in comment 0.

It's a debug-only property cache bug, the following nativeContains call in PropertyCache::fullTest triggered a GC:

  JS_ASSERT(pobj->nativeContains(cx, NameToId(name)));

The GC then zeroes the property cache table and we return an invalid PropertyCacheEntry. Bug 772303 fixed this by changing the nativeContains call to nativeContainsNoAllocation so that it will no longer trigger a GC.

Opening up since it's debug-only.