Closed Bug 770332 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: obj->unknownProperties(), at jsinfer.cpp:1635

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

fix
1.50 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
The following testcase asserts on ionmonkey revision 6688ede89a36 (run with --ion -n -m):


function TestCase(n, d, e, a) {}
function reportCompare (expected, actual, description) {
  var testcase = new TestCase("unknown-test-name", description, expected, actual);
}
var status = 'Testing scope after changing obj.__proto__';
function test() {
  let ( actual = [ ]  ) TestCase   .__proto__ = null;
  reportCompare (expect, actual, status);
}
var actual = 'error';
var expect = 'error';
for (i = 0; i < 100000; i++)  {
  test();
}
Brian, it looks like IonMonkey calls TypeSet::WatchObjectStateChange on the callee when inlining a function. The comment just says it's to "trigger invalidation of the caller".

I don't see a similar call in JM+TI, and the call is failing assert that the callee doesn't have unknown properties.

What's the right fix here? Should we just drop the call to WatchObjectStateChange?
When inlining one function into another the caller needs to be sensitive to changes in type information in the callee which are not explicitly associated with freeze constraints.  e.g., if a type barrier suddenly appears at an opcode then both the script containing that opcode and any other scripts it was inlined into will need to be recompiled.

JM does this using HasObjectFlags(..., OBJECT_FLAG_UNINLINEABLE), which will trigger recompilation both on one of the changes above and in changes to the UNINLINEABLE flag.  IM doesn't care about the UNINLINEABLE flag, but using WatchObjectStateChange will still catch the above cases, and it will need to be called for each inlined callee.  I think that the fix should be to just not inline callees whose properties are totally unknown.  This will almost never happen with scripted functions, and does so in this case because of the assignment to __proto__.
Attached patch fixSplinter Review 
Okay, thanks for the explanation.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #641634 - Flags: review?(bhackett1024)
Attachment #641634 - Flags: review?(bhackett1024) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/243f0d95967e
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug770332.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: