Closed Bug 1172503 Opened 9 years ago Closed 9 years ago

Assertion failure: !!desc.object() == objHasOwn, at js/src/vm/NativeObject.cpp:1990

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla43
Tracking Flags:
Tracking Status
firefox41 --- affected
firefox43 --- fixed

People

(Reporter: decoder, Assigned: jorendorff)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Delete unwarranted optimization to fix "Assertion failure: !!desc.object() == objHasOwn, at js/src/vm/NativeObject.cpp:1990"
10.45 KB, patch
evilpie
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 7d4ab4a9febd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe):

this.__proto__ = Proxy.create({
  has:function(){
    try {
      aa0 = Function(undefined);
    } catch (aa) {}
  }
});
m();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000006f46dd in js::SetPropertyByDefining (cx=cx@entry=0x7ffff691b4e0, obj=..., obj@entry=..., id=id@entry=..., v=..., v@entry=..., receiverValue=..., receiverValue@entry=..., objHasOwn=objHasOwn@entry=false, result=...) at js/src/vm/NativeObject.cpp:1990
#0  0x00000000006f46dd in js::SetPropertyByDefining (cx=cx@entry=0x7ffff691b4e0, obj=..., obj@entry=..., id=id@entry=..., v=..., v@entry=..., receiverValue=..., receiverValue@entry=..., objHasOwn=objHasOwn@entry=false, result=...) at js/src/vm/NativeObject.cpp:1990
#1  0x00000000006f480e in SetNonexistentProperty (cx=cx@entry=0x7ffff691b4e0, obj=obj@entry=..., id=id@entry=..., v=..., receiver=receiver@entry=..., qualified=<optimized out>, result=...) at js/src/vm/NativeObject.cpp:2092
#2  0x000000000070256b in js::NativeSetProperty (cx=cx@entry=0x7ffff691b4e0, obj=..., obj@entry=..., id=id@entry=..., value=..., value@entry=..., receiver=..., receiver@entry=..., qualified=qualified@entry=js::Unqualified, result=...) at js/src/vm/NativeObject.cpp:2265
#3  0x000000000069518c in js::SetNameOperation (cx=0x7ffff691b4e0, script=<optimized out>, pc=<optimized out>, scope=..., val=...) at js/src/vm/Interpreter-inl.h:325
#4  0x00000000008a9e28 in js::jit::DoSetPropFallback (cx=0x7ffff691b4e0, frame=<optimized out>, stub_=<optimized out>, lhs=..., rhs=..., res=...) at js/src/jit/BaselineIC.cpp:9088
#5  0x00007ffff7feed4f in ?? ()
#6  0x00007ffff7ff299d in ?? ()
#7  0x00007fffffe02308 in ?? ()
#8  0xfffc7ffff4d92ac0 in ?? ()
#9  0xfff9000000000000 in ?? ()
#10 0x0000000001a64b40 in js::jit::DoCallNativeSetterInfo ()
#11 0x00007ffff4d51af0 in ?? ()
#12 0x00007ffff7ff29b4 in ?? ()
#13 0x0000000000000801 in ?? ()
#14 0x00007fffffe02368 in ?? ()
#15 0x00007ffff699f890 in ?? ()
#16 0xfffc7ffff4d5a060 in ?? ()
#17 0xfffc7ffff4d92ac0 in ?? ()
#18 0xfffc7ffff4d92ac0 in ?? ()
#19 0xfffc7ffff4d5a060 in ?? ()
#20 0xfffa000000000010 in ?? ()
#21 0x00007fffffe02948 in ?? ()
#22 0x00007fffffe023c0 in ?? ()
#23 0x0000000000000060 in ?? ()
#24 0x00007ffff4d5a060 in ?? ()
#25 0x00007ffff694a601 in ?? ()
#26 0x00007ffff693c000 in ?? ()
#27 0x00007fffffe02801 in ?? ()
#28 0x00000000ffe023c0 in ?? ()
#29 0x00007fffffe02410 in ?? ()
#30 0x00007ffff7fe8d6f in ?? ()
#31 0x0000000000000203 in ?? ()
#32 0x00007ffff4d73340 in ?? ()
#33 0x0000000000000001 in ?? ()
#34 0xfffc7ffff4d65160 in ?? ()
#35 0xfffafffff4d72778 in ?? ()
#36 0x00007fffffe027c0 in ?? ()
#37 0x00007fffffe02440 in ?? ()
#38 0x00007ffff7fe8c00 in ?? ()
#39 0x00007fffffe02460 in ?? ()
#40 0x00007ffff691b4e0 in ?? ()
#41 0x00007fffffe02760 in ?? ()
#42 0x00007fffffe02720 in ?? ()
#43 0x000000000082a46d in EnterBaseline (cx=0x0, data=...) at js/src/jit/BaselineJIT.cpp:125
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
rax	0x0	0
rbx	0x7fffffe01c70	140737486265456
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffe01ce0	140737486265568
rsp	0x7fffffe01bd0	140737486265296
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffe01990	140737486264720
r11	0x7ffff6c27960	140737333328224
r12	0x7fffffe01c10	140737486265360
r13	0x7fffffe01f30	140737486266160
r14	0x7ffff691b4e0	140737330132192
r15	0x1	1
rip	0x6f46dd <js::SetPropertyByDefining(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, bool, JS::ObjectOpResult&)+1837>
=> 0x6f46dd <js::SetPropertyByDefining(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, bool, JS::ObjectOpResult&)+1837>:	movl   $0x7c6,0x0
   0x6f46e8 <js::SetPropertyByDefining(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, bool, JS::ObjectOpResult&)+1848>:	callq  0x4933b0 <abort()>
I guess we really can't do this optimization for just any object. We should probably restrict it to native objects. Oh and I hope proxies on the global's prototype chain go away ..
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7837628feeca
user:        Jason Orendorff
date:        Wed Nov 12 11:46:38 2014 -0600
summary:     Bug 1090636, part 15 - Optimize away the HasOwnProperty call in SetPropertyByDefining, in the common case. No change in behavior, theoretically. r=efaust.

This iteration took 162.248 seconds to run.
Assignee: nobody → jorendorff
Status: NEW → ASSIGNED
As far as I can tell, this "optimization" is pretty unlikely to ever make anything faster. Some of the cases where it applies are actually covered by other, better optimizations. The rest are covered by ICs.
Attachment #8620581 - Flags: review?(evilpies) → review+
url:        https://hg.mozilla.org/integration/mozilla-inbound/rev/8f410f4e8f5cc1960eb0812ff7c469dc96a08f9c
changeset:  8f410f4e8f5cc1960eb0812ff7c469dc96a08f9c
user:       Jason Orendorff <jorendorff@mozilla.com>
date:       Wed Jun 10 15:54:38 2015 -0500
description:
Bug 1172503 - Delete unwarranted optimization to fix "Assertion failure: !!desc.object() == objHasOwn, at js/src/vm/NativeObject.cpp:1990". r=evilpie.
https://hg.mozilla.org/mozilla-central/rev/8f410f4e8f5c
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox43: --- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: