Closed Bug 483940 Opened 16 years ago Closed 14 years ago

TM: trace through val[obj] (both setting and getting) rather than aborting

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: gkw, Assigned: Waldo)

References

Details

Attachments

(1 file)

A start
3.49 KB, patch
Details | Diff | Splinter Review
for (var y = 0; y < 2; ++y) { (/x/)[this] } asserts at Assertion failure: JSVAL_IS_NULL(v), at ../jstracer.cpp:4952 with -j, seems to work as expected without -j, and in opt. autoBisect shows bug 478525, http://hg.mozilla.org/tracemonkey/rev/f449fe8bd097 may be related: The first bad revision is: changeset: 26145:f449fe8bd097 parent: 26142:33c5c42a29c7 user: Andreas Gal date: Tue Mar 17 15:39:42 2009 -0700 summary: Try harder to trace array access with non-int / non-string index (478525, r=brendan).
Flags: blocking1.9.1?
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
Attached patch A startSplinter Review
This will trace this: var o = {toString: function() { return 0; } }; for (var y =0; y < 3; y++) print("" + [1][o]); but not this: var o = {toString: function() { return "0"; } }; for (var y =0; y < 3; y++) print("" + [1][o]); Recursion prevention in imacros bites here, not quite sure what to do about that yet -- tail-recursive imacros? On a last note, using |this| as the index will abort with this patch because of the |getprop toString| within the getobjprop imacro invocation -- gotta use a different object with a custom toString (for now, until JSFastNative can be traced) to meaningfully trace into the imacro.
OS: Mac OS X → All
Hardware: x86 → All
484120 stops the crash. This bug needs to improve performance for this case.
Depends on: 484120
Priority: -- → P3
Severity: critical → normal
for (var z = 0; z < 2; ++z) { ({ 0.1: null })} is another similar-looking testcase that asserts at Assertion failure: !JSVAL_IS_PRIMITIVE(v), at ../source/jstracer.cpp:8054 instead and has an identical regression window. (debug with -j)
(In reply to comment #3) > for (var z = 0; z < 2; ++z) { ({ 0.1: null })} > > is another similar-looking testcase that asserts at Assertion failure: > !JSVAL_IS_PRIMITIVE(v), at ../source/jstracer.cpp:8054 instead and has an > identical regression window. (debug with -j) The testcase in comment #0 has been fixed by the patch in bug 484120 per comment #2, but this testcase was not. Spun off as bug 484151.
Should this be marked fixed-in-tracemonkey as the patch in bug 484120 fixed this?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: P3 → P2
Whiteboard: [to be fixed by 484120]
(In reply to comment #5) > Should this be marked fixed-in-tracemonkey as the patch in bug 484120 fixed > this? Waldo?
No; bug 484120 changed the code so that we abort rather than hit the assertion, but we still should not abort and actually handle this case correctly -- which the patch here semi-but-not-completely fixes. Need to update and see about wrapping it up still...
Whiteboard: [to be fixed by 484120]
Flags: wanted1.9.1+
Flags: blocking1.9.1-
Flags: blocking1.9.1+
Summary: TM: "Assertion failure: JSVAL_IS_NULL(v), at ../jstracer.cpp" → TM: trace through val[obj] rather than aborting
x = this for(let y in ['', 0]) (/x/g [[]]) = x; asserts identically as comment #0 with TM tip with -j in debug; I don't know if they're the same cause. Will autoBisect later...
Flags: blocking1.9.1- → blocking1.9.1?
(In reply to comment #8) > Will autoBisect later... As in comment #0 for that testcase, this is also related to the same bug 478525.
Summary: TM: trace through val[obj] rather than aborting → TM: trace through val[obj] (both setting and getting) rather than aborting
Bug morphing-madness - now the testcase in comment #0 asserts differently: $ ./js-dbg-tm-intelmac -j js> for (var y = 0; y < 2; ++y) { (/x/)[this] } Assertion failure: initializing || known(p), at ../jstracer.cpp:1954 while the testcases in comment #3 and comment #8 seem to work as expected(i.e. they no longer assert). Can this bug please have an update esp. since we're so near code freeze - I wouldn't like another game of testcase-morphing-fun again..
Flags: in-testsuite?
(In reply to comment #10) > Bug morphing-madness - now the testcase in comment #0 asserts differently: > > $ ./js-dbg-tm-intelmac -j > js> for (var y = 0; y < 2; ++y) { (/x/)[this] } > Assertion failure: initializing || known(p), at ../jstracer.cpp:1954 see bug 488203 comment 14
(In reply to comment #11) > (In reply to comment #10) > > Bug morphing-madness - now the testcase in comment #0 asserts differently: > > > > $ ./js-dbg-tm-intelmac -j > > js> for (var y = 0; y < 2; ++y) { (/x/)[this] } > > Assertion failure: initializing || known(p), at ../jstracer.cpp:1954 > > see bug 488203 comment 14 ? I'm on TM tip, which has the patch that supposedly fixes that - http://hg.mozilla.org/tracemonkey/rev/e8c23c42db7f - see bug 488203 comment 18, or am I wrong?
I don't think it fixed it.
(In reply to comment #10) > Bug morphing-madness - now the testcase in comment #0 asserts differently: Now comment #0 has morphed _again_, it's now crashing dbg builds at TraceRecorder::getThis at a possibly exploitable 0xfffffffc. I'm not sure to security-fy this or not because it's in debug only, doesn't seem to crash opt.
(In reply to comment #14) > (In reply to comment #10) > > Bug morphing-madness - now the testcase in comment #0 asserts differently: > > Now comment #0 has morphed _again_, it's now crashing dbg builds at > TraceRecorder::getThis at a possibly exploitable 0xfffffffc. > > I'm not sure to security-fy this or not because it's in debug only, doesn't > seem to crash opt. Waldo suggests I file a new bug, so spun off as bug 489040.
Flags: blocking1.9.1?
Keywords: assertion, regression, testcase
I think this work has been superseded by other work elsewhere.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: