Closed Bug 481989 Opened 15 years ago Closed 15 years ago

TM: " Assertion failure: SPROP_HAS_STUB_SETTER(sprop), at ../jstracer.cpp"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: gkw, Assigned: gal)

References

Details

(Keywords: assertion, testcase, verified1.9.1, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file, 1 obsolete file)

v2
8.83 KB, patch
brendan
: review+
Details | Diff | Splinter Review 
y = this.watch("x", function(){}); for each (let y in ['', '']) x = y

Assertion failure: SPROP_HAS_STUB_SETTER(sprop), at ../jstracer.cpp:7019

Seems to work as expected, both in opt and without -j. Possible regression of bug 476871?
Flags: blocking1.9.1?
Assignee: general → gal
Attached patch patch (obsolete) — Splinter Review 
for (var i = 0; i < 100; i++)
    {
        var o = {valueOf: undefined, toString: toString};
        var q = 5 + o;
    }

The attached patch fails to compile the above code from trace-tests.js because of:

00020:   3  name "undefined"
00023:   3  initprop "valueOf"
abort: 1840: slotless obj property
Abort recording of tree x.js:1@17 at x.js:3@23: SetPropHit.

I wonder whether thats true and we shouldn't be tracing this.
Argh, activeCallOrGlobalSlot has grown three ABORT_TRACE hidden returns before obligatory OBJ_DROP_PROPERTY, first one r=me by graydon, then two by you based on it. Sorry -- we should probably use an explicit return and avoid repeated DROP then ABORT then-clauses.

Anyway, I don't se why initprop should abort in that case with the patch. What is sprop->slot, what is scope->map.freeslot, when that "slotless obj property" abort happens?

/be
Argh^2, the TRACE_2(SetPropHit...) in js_Interpret's JSOP_INITPROP case is too early. It should come just before the break from the do-while(0); loop.

This doesn't affect the rules for OBJ_DROP_PROPERTY after OBJ_LOOKUP_PROPERTY (or a call to a wrapper around it, namely js_FindProperty -- or to its concrete impl js_LookupProperty).

/be
Attached patch v2Splinter Review 

        Attachment #366077 -
        Attachment is obsolete: true

        Attachment #366081 -
        Flags: review?(brendan)

    
    

    
  
Comment on attachment 366081 [details] [diff] [review]
v2

>+TraceRecorder::isDirectSlot(JSScope* scope, JSScopeProperty* sprop)

Should be isValidSlot or some such. Longer names possible, I like that one currently.

>+{
>+    uint32 setflags = (js_CodeSpec[*cx->fp->regs->pc].format & (JOF_SET | JOF_INCDEC | JOF_FOR));
>+
>+    if (setflags && !SPROP_HAS_STUB_SETTER(sprop))
>+        ABORT_TRACE("non-stub setter");
>+    if (setflags != JOF_SET && !SPROP_HAS_STUB_GETTER(sprop))
>+        ABORT_TRACE("non-stub getter");
>+    if (setflags && (sprop->attrs & JSPROP_READONLY))
>+        ABORT_TRACE("writing to a read-only property");

Two of the above three ifs start with setflags, so common that:

    if (setflags) {
        if (!SPROP_HAS_STUB_SETTER(sprop))
            ABORT_TRACE("non-stub setter");
        if (sprop->attrs & JSPROP_READONLY)
            ABORT_TRACE("writing to a read-only property");
    }

    /* This check applies even when setflags == 0. */
    if (setflags != JOF_SET && !SPROP_HAS_STUB_GETTER(sprop))
        ABORT_TRACE("non-stub getter");

The setflags != JOF_SET case has to work even when !setflags. Worth a comment?

r=me with above addressed.

/be

        Attachment #366081 -
        Flags: review?(brendan) → review+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/4c66b8ccb1b8
Whiteboard: fixed-in-tracemonkey
Flags: in-testsuite?

    
    

    
  
also covered by js1_5/extensions/regress-455413.js. 

definitely regressed by bug 476871 http://hg.mozilla.org/tracemonkey/rev/1852d9fe853d

This was tracemonkey only right? Can we mark if fixed and move on?
Blocks: 476871

    
    

    
  
Looks like tm only.

/be
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
    

    
  
also covered by js1_5/Regress/regress-210682.js, js1_5/Regress/regress-462989.js (browser at least)

    
  
Flags: blocking1.9.1? → blocking1.9.1+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/20c36d75e58a
/cvsroot/mozilla/js/tests/js1_8/extensions/regress-481989.js,v  <--  regress-481989.js
initial revision: 1.1
Flags: in-testsuite? → in-testsuite+

    
    

    
  
v 1.9.1, 1.9.2 modulo js1_5/Regress/regress-210682.js (bug 488203 which should be fixed as well).
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1

    
  
No longer depends on: 495962

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: