iOS: EXC_BAD_ACCESS in bool js::gc::IsAboutToBeFinalized<js::types::TypeObject>

[orangemocha]

Running the iOS Test App, release build:

Test 440: test-regress-GH-4027.js
EXC_BAD_ACCESS
#0	0x00000001011b0675 in bool js::gc::IsAboutToBeFinalized<js::types::TypeObject>(js::types::TypeObject**) ()
thaliproject/jxcore#1	0x00000001012bb898 in JSCompartment::sweepNewTypeObjectTable(js::HashSet<js::types::TypeObjectWithNewScriptEntry, js::types::TypeObjectWithNewScriptEntry, js::SystemAllocPolicy>&) ()
thaliproject/jxcore#2	0x00000001012892d0 in JSCompartment::sweep(js::FreeOp*, bool) ()
thaliproject/jxcore#3	0x00000001012ac5c2 in js::gc::GCRuntime::beginSweepingZoneGroup() ()
thaliproject/jxcore#4	0x00000001012acd25 in js::gc::GCRuntime::beginSweepPhase(bool) ()
thaliproject/jxcore#5	0x00000001012adeea in js::gc::GCRuntime::incrementalCollectSlice(long long, JS::gcreason::Reason) ()
thaliproject/jxcore#6	0x00000001012ae3a6 in js::gc::GCRuntime::gcCycle(bool, long long, js::JSGCInvocationKind, JS::gcreason::Reason) ()
thaliproject/jxcore#7	0x00000001012ae6bd in js::gc::GCRuntime::collect(bool, long long, js::JSGCInvocationKind, JS::gcreason::Reason) ()
thaliproject/jxcore#8	0x000000010135bbd1 in JSRuntime::~JSRuntime() ()
thaliproject/jxcore#9	0x000000010127991d in JS_DestroyRuntime(JSRuntime*) ()
thaliproject/jxcore#10	0x00000001010d3d44 in jxcore::JXEngine::Destroy() ()
thaliproject/jxcore#11	0x00000001010d237c in JX_StopEngine ()
thaliproject/jxcore#12	0x000000010107c8ba in +[TestRunner startChildEngine] at /Users/alexis/github/jxcore/tools/ios-test/iOS-Test/TestRunner.m:353
thaliproject/jxcore#13	0x000000010107c9df in JXcoreProxy_CB at /Users/alexis/github/jxcore/tools/ios-test/iOS-Test/jxcore-callback.h:17
thaliproject/jxcore#14	0x000000010139904b in nspr::Thread::ThreadRoutine(void*) ()
thaliproject/jxcore#15	0x00000001047e999d in _pthread_body ()
thaliproject/jxcore#16	0x00000001047e991a in _pthread_start ()
thaliproject/jxcore#17	0x00000001047e7351 in thread_start ()

The crash happens at random times. I reproduced it both with iPhone 6 (10.2) and iPhone 7 Plus (10.2) simulators.

[orangemocha]

I am afraid this is likely a SpiderMonkey bug. Looks like it was a frequent hitter around version 34. https://bug635044.bugzilla.mozilla.org/show_bug.cgi?id=1081769

That bug was resolved fixed by adding some release diagnostics, which are included in our build. However it doesn't look like the release asserts are effective. In the end, it seemed to have disappeared from SM overtime but it's not clear which changes made it go away.

I did a quick search through SM crash signatures (eg: https://crash-analysis.mozilla.com/release-mgmt/2015-02-27/2015-02-27.firefox.beta.37.0.startup.html) and crashes with similar signature appear in several later builds in 2015. A wild guess led me to hypothesize that this was fixed with the fix for https://bugzilla.mozilla.org/show_bug.cgi?id=1182730, but the patch doesn't apply cleanly.