502914 - JIT code can call js_AddProperty when the property already exists (Assertion failure: !SCOPE_HAS_PROPERTY(scope, sprop), at ../jsbuiltins.cpp:257)

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jason Orendorff [:jorendorff]]

function f1() {}
function C() {}
var x = C.prototype = {m: f1};
x.m();  // brand scope
var arr = [new C, new C, new C, x];
for (var i = 0; i < 4; i++) {
    arr[i].m = 12;
    x.m();  // should throw last time through
}

Without -j:
  crasher.js:10: TypeError: x.m is not a function
With -j in a debug build:
  Assertion failure: !SCOPE_HAS_PROPERTY(scope, sprop), at ../jsbuiltins.cpp:257
With -j in a release build, no output.

A harmless correctness bug in the (release) browser, unless it affects any real-world web pages, which I doubt.

Comment 1

[Jason Orendorff [:jorendorff]]

Two bugs here. As the summary originally said, we assign a non-function to a function-valued property without bumping the shape. But more importantly, we're calling js_AddProperty here on an object whose scope already contains the desired property. By chance this turns out to be safe, though the behavior is wrong.

I would no longer call this "harmless". It's as important to fix as any assertion.

Comment 2

[Jason Orendorff [:jorendorff]]

Attachment: v1

Theoretically this makes some property assignments slower, but I saw no change in bench.sh.

Comment 3

[Andreas Gal :gal]

Comment on attachment 387299 [details] [diff] [review]
v1

++jorendorff

Comment 4

[Jason Orendorff [:jorendorff]]

http://hg.mozilla.org/tracemonkey/rev/6661bcf160cb

Comment 5

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/6661bcf160cb

Comment 6

[Bob Clary [:bc] (inactive)]

trace-test testBug502914