578041 - JM: "Assertion failure: IsSaneThisObject(argv[-1].toObject()),"

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

__defineGetter__("x",Float32Array)
with(this)x

asserts at Assertion failure: IsSaneThisObject(argv[-1].toObject()), at ../jsinterp.cpp:306 on moo tip changeset 60c111fc0d4b without -m.

Tested only on 64-bit Ubuntu 10.04.

Program received signal SIGABRT, Aborted.
0x00007ffff7bce7bb in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
42	../nptl/sysdeps/unix/sysv/linux/pt-raise.c: No such file or directory.
	in ../nptl/sysdeps/unix/sysv/linux/pt-raise.c
(gdb) bt
#0  0x00007ffff7bce7bb in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#1  0x000000000053e000 in JS_Assert (s=0x5937c8 "IsSaneThisObject(argv[-1].toObject())", file=0x593698 "../jsinterp.cpp", ln=306) at ../jsutil.cpp:80
#2  0x0000000000495888 in js::ComputeThisFromArgv (cx=0x82a1a0, argv=0x7ffff6a8a1f8) at ../jsinterp.cpp:306
#3  0x0000000000439786 in js::ComputeThisFromVp (cx=0x82a1a0, vp=0x7ffff6a8a1e8) at ../jsinterp.h:284
#4  0x000000000049608b in js::Invoke (cx=0x82a1a0, args=..., flags=0) at ../jsinterp.cpp:715
#5  0x0000000000496343 in js::InternalInvoke (cx=0x82a1a0, thisv=..., fval=..., flags=0, argc=0, argv=0x0, rval=0x7fffffffd590) at ../jsinterp.cpp:771
#6  0x0000000000494989 in InternalCall (cx=0x82a1a0, obj=0x7ffff6901480, fval=..., argc=0, argv=0x0, rval=0x7fffffffd590) at ../jsinterp.h:349
#7  0x0000000000496418 in js::InternalGetOrSet (cx=0x82a1a0, obj=0x7ffff6901480, id=..., fval=..., mode=JSACC_READ, argc=0, argv=0x0, rval=0x7fffffffd590) at ../jsinterp.cpp:799
#8  0x00000000004bbdca in JSScopeProperty::get (this=0x82ee58, cx=0x82a1a0, obj=0x7ffff6901480, pobj=0x7ffff6901000, vp=0x7fffffffd590) at ../jsscopeinlines.h:281
#9  0x00000000004b5c7a in js_NativeGet (cx=0x82a1a0, obj=0x7ffff6901480, pobj=0x7ffff6901000, sprop=0x82ee58, getHow=0, vp=0x7fffffffd590) at ../jsobj.cpp:4747
#10 0x00000000005720f0 in js::Interpret (cx=0x82a1a0) at ../jsops.cpp:2475
#11 0x0000000000495ce4 in js::RunScript (cx=0x82a1a0, script=0x831740, fun=0x0, scopeChain=0x7ffff6901000) at ../jsinterp.cpp:462
#12 0x0000000000496a96 in js::Execute (cx=0x82a1a0, chain=0x7ffff6901000, script=0x831740, down=0x0, flags=0, result=0x7fffffffe030) at ../jsinterp.cpp:923
#13 0x0000000000428656 in JS_ExecuteScript (cx=0x82a1a0, obj=0x7ffff6901000, script=0x831740, rval=0x7fffffffe030) at ../jsapi.cpp:4637
#14 0x0000000000404d14 in Process (cx=0x82a1a0, obj=0x7ffff6901000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:533
#15 0x000000000040572a in ProcessArgs (cx=0x82a1a0, obj=0x7ffff6901000, argv=0x7fffffffe2d0, argc=0) at ../../shell/js.cpp:860
#16 0x000000000040dadd in shell (cx=0x82a1a0, argc=0, argv=0x7fffffffe2d0, envp=0x7fffffffe2d8) at ../../shell/js.cpp:5038
#17 0x000000000040dbed in main (argc=0, argv=0x7fffffffe2d0, envp=0x7fffffffe2d8) at ../../shell/js.cpp:5129

Comment 1

[Chris Leary [:cdleary] (not checking bugmail)]

Need to do the same resolution on prop$ miss that we do with JSOP_CALLNAME in
JSOP_NAME.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Seems to be fatval-related. (and not to JM/moo)

Comment 3

[Chris Leary [:cdleary] (not checking bugmail)]

(In reply to comment #2)
> Seems to be fatval-related. (and not to JM/moo)

Gary, I'm not sure what you mean -- IsSaneThisObject was added with the eager-|this| patch in bug 574697, which only landed on JM/moo so far as I know. Where does the fatval branch live nowadays?

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to comment #3)
> (In reply to comment #2)
> > Seems to be fatval-related. (and not to JM/moo)
> 
> Gary, I'm not sure what you mean -- IsSaneThisObject was added with the
> eager-|this| patch in bug 574697, which only landed on JM/moo so far as I know.
> Where does the fatval branch live nowadays?

You're right - I got myself confused with some of the other bugs.

The fatval branch is at http://hg.mozilla.org/users/lwagner_mozilla.com/fatval/

Comment 5

[Luke Wagner [:luke]]

I am unable to reproduce this on fatval tip on 32-bit debug linux or 64-bit debug os x.

Comment 6

[Chris Leary [:cdleary] (not checking bugmail)]

Attachment: Normalize with object on getter sprops.

Call the thisObject hook when a js_WithClass object is encountered with a getter sprop on it.

Comment 7

[Jesse Ruderman]

I hit this on moo branch but not on tm branch.

Comment 8

[Brendan Eich [:brendan]]

Comment on attachment 462307 [details] [diff] [review]
Normalize with object on getter sprops.

See jsscopeinlines.h, JSScopeProperty::get and JSScopeProperty::set -- you need to unwrap With objects for PropertyOp getters and setters too (not sure setters are an issue with the method jit).

The sprop->hasGetterValue() test means you are covering only user-defined getters here. In jsscopeinlines.h the user-defined cases flow down through InternalGetOrSet -> InternalCall (luke is fixing these names) and general |this| normalizing code takes care of With.

/be

Comment 9

[Jason Orendorff [:jorendorff]]

Comment on attachment 462307 [details] [diff] [review]
Normalize with object on getter sprops.

Right, this needs at least !sprop->hasDefaultGetter() instead of sprop->hasGetterValue(). r=me with that change.

I don't think there's any issue with setters; JSOP_SETNAME checks for obj->getOps()->setProperty and calls it.

Comment 10

[Chris Leary [:cdleary] (not checking bugmail)]

http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/b0fcf1ff31ed

Comment 11

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug578041.js.