Closed Bug 951957 Opened 11 years ago Closed 11 years ago

Assertion failure: isOwned(), at vm/Shape.h

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 938124

People

(Reporter: gkw, Unassigned)

Details

(Keywords: assertion, regression)

Attachments

(1 file)

Stack from Crash Reporter
38.31 KB, text/plain
Details 
Assertion failure: isOwned(), at vm/Shape.h is an assertion that has hard-to-reproduce testcases, and which appeared fairly recently (probably in the past weeks?).

The changeset that landed this assert ( http://hg.mozilla.org/mozilla-central/annotate/04a70c8908de/js/src/vm/Shape.h#l705 ) was at:

http://hg.mozilla.org/mozilla-central/rev/d6d732ef5650

in bug 708735 by Waldo, but I'm not sure if it's the regressor.

JIT folks, any ideas? From the stack, are we jumping to/from the baseline/VM?
Flags: needinfo?(kvijayan)
Flags: needinfo?(jdemooij)
Can't possibly be that -- the assertion was present in the method before that changeset, I just happened to modify the line that included it.
hg grep --all --follow 'slotSpan\(\) const \{ JS_ASSERT\(isOwned\(\)\)' js/src/vm/Shape.h

I think the assertion was added by:

changeset:   http://hg.mozilla.org/mozilla-central/rev/17bce205714e
user:        Brian Hackett
date:        Wed Oct 05 11:54:28 2011 -0700
summary:     Address shape number removal review comments, bug 684505.
Flags: needinfo?(bhackett1024)
I think this was fixed by the most recent patch in bug 938124.  Looking at the crashing thread's stack, it is calling getSlotRef() on a global object in valueIsEval.  This isn't thread safe and if the main thread effects a shape change on the global object bad things can happen.  Namely, I think what happened here is the off thread read a shape pointer from the global object --- which is in dictionary mode, where only the last property owns its base shape --- and the main thread then reshaped the global and took away that shape's own base shape before the other thread could read its slot span, leading to this assertion.

When updating the patch in bug 938124 the thread safety analysis caught this bad use of getSlotRef(), and I replaced it with getSlotForCompilation(), which is safe to be called from the compilation thread.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(kvijayan)
Flags: needinfo?(jdemooij)
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: