Closed Bug 567152 Opened 15 years ago Closed 15 years ago

"Assertion failure: !generic(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- beta1+

People

(Reporter: gkw, Assigned: jorendorff)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file, 2 obsolete files)

v3
4.19 KB, patch
brendan
: review+
Details | Diff | Splinter Review
delete this.uneval function g(code) { var f = new Function(code) try { f() } catch (r) {} delete this.uneval } g("\ [\ []\ ].some(function (a) {\ this.w = function () {\ a\ }\ })\ ") asserts js debug shell without -j on TM tip at Assertion failure: !generic(), at ../jsscope.h:426
Tested on 64-bit Linux. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 41518:539d04cccb8b user: Jason Orendorff date: Fri Apr 30 08:29:04 2010 -0500 summary: Bug 560998 - Assertion failure: entry->vword.toObject() == JSVAL_TO_OBJECT(v). r=brendan.
Blocks: 560998
blocking2.0: --- → ?
function c(a) { // make the global GENERIC this.w = function () { a; }; } c(0); // after this, the global scope has both // BRANDED and GENERIC bits set delete this.uneval; delete this.uneval; // JS_ResolveStandardClass redefines uneval // (in order to delete it again), triggering bug
Attached patch v1 (obsolete) — Splinter Review
It is a little weird that branded() asserts this way instead of just testing both bits. But ok.
Assignee: general → jorendorff
Attachment #446738 - Flags: review?(brendan)
Attached patch v2 (obsolete) — Splinter Review
The question, really, is what should happen when we reach JSOP_UNBRAND or UNBRANDTHIS and the operand is already branded. Here is my guess. I think overflowing rt->shapeGen here is harmless, or at least there's nothing to be done about it. I can comment that if it would help understanding.
Attachment #446738 - Attachment is obsolete: true
Attachment #446837 - Flags: review?(brendan)
Attachment #446738 - Flags: review?(brendan)
Even simpler: once branded, there's no point in being generic, since the shape has already evolved unpredictably (only singleton objects are cacheable). So how about restricting state evolution to {} -> {branded} -(would-be generic)->{branded} or {} -> {generic} -(would-be branded)->{generic} /be
Jason, should we stall this while I work on bug 558451? Did you plan to do something like what is proposed in comment 5? /be
Attached patch v3Splinter Review
Sorry. The weekend was crazy, and I was on a plane all yesterday. I think we should push this unless it'll cause merge pains for you.
Attachment #446837 - Attachment is obsolete: true
Attachment #447339 - Flags: review?(brendan)
Attachment #446837 - Flags: review?(brendan)
Don't worry about the merge pain, but please do respond to the proposed reduced state machine in comment 5. /be
That's what v3 is, I think.
Attachment #447339 - Flags: review?(brendan) → review+
Comment on attachment 447339 [details] [diff] [review] v3 Thanks, missed v3 for some reason there... /be
blocking2.0: ? → beta1+
Just helping out... http://hg.mozilla.org/tracemonkey/rev/331702c6884f
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/331702c6884f
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/tests/js1_8_5/regress/regress-567152.js.
Flags: in-testsuite+
Testcases have been landed by virtue of being marked in-testsuite+ -> VERIFIED as well.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: