458857 - TM: "Assertion failure: ngslots == tm->globalTypeMap->length()" with gc and generator as getters

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect, P2)

Description

[Jesse Ruderman]

$ cat d3.js

var h = {};
for (let i = 0; i < 5; ++i)
  h["a" + i] = function(){};
h.__defineGetter__('r', gc);
h.__defineGetter__('q', function() { yield; });
h.__defineSetter__('r', function() { });
for (x in h) { }
[1 for each (x in h) if ('')];

$ ~/tracemonkey/js/src/Darwin_DBG.OBJ/js -j d3.js

before 28716, after 20480, break 00400000
Assertion failure: ngslots == tm->globalTypeMap->length(), at jstracer.cpp:2656

This bug can also cause a null deref in js_ExecuteTree.

Comment 1

[Jesse Ruderman]

Because my script for tracking known jsfunfuzz crashes ignores stack position, the js_ExecuteTree crash here may prevent me from noticing many other crashes.

Comment 2

[Bob Clary [:bc] (inactive)]

js1_6/extensions/regress-455464-04.js also shows this

Comment 3

[David Anderson [:dvander] - inactive, e-mail if emergency]

CallIteratorNext is calling back into native code from on trace, which is a problem - but worse a GC hits and pulls everything out from under our feet.

Comment 4

[Jesse Ruderman]

Bug 461915 might be related.

Comment 5

[Jesse Ruderman]

The patch for bug 458851 seems to have fixed bug 461915 but not this bug.

Comment 6

[Brendan Eich [:brendan]]

(In reply to comment #3)
> CallIteratorNext is calling back into native code from on trace, which is a
> problem - but worse a GC hits and pulls everything out from under our feet.

See bug 462042. I'll focus on generator aspects here and leave GC not pulling everything out from under our feet for that bug.

/be

Comment 7

[Andreas Gal :gal]

WFM. I fixed the cause so I am comfortable closing.

Comment 8

[Andreas Gal :gal]

Meant to close as WFM.

Comment 9

[Jesse Ruderman]

Filed bug 465225 on another crash caused by this testcase.