Closed Bug 582899 Opened 14 years ago Closed 14 years ago

JM: "Assertion failure: tempObj->isNative(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: cdleary)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-jaegermonkey)

Attachments

(1 file)

Bail if a native is seen when compiling getprop stub.
2.40 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
try {
    (function () {
        __proto__ = [];
        for each(y in [0, 0]) {
            this.__defineGetter__("", function () {})
        }
    })()
} catch (e) {}

asserts js debug shell on JM changeset 3700c42a8e82 with -m at Assertion failure: tempObj->isNative(), at ../methodjit/PolyIC.cpp:827
I'll check this one out.
Assignee: general → cdleary
Status: NEW → ASSIGNED
Ah, this is that thing I hadn't gotten around to follow-up for. If we see a native along the proto chain the shape is invalid. Was correct in the GetElem compiler but not the GetProp compiler. Putting a refactoring on my TODO list.
Attachment #461215 - Flags: review?(dvander)
A *non*-native, you mean (comment needs fixing).

/be
Comment on attachment 461215 [details] [diff] [review]
Bail if a native is seen when compiling getprop stub.

>diff --git a/js/src/methodjit/PolyIC.cpp b/js/src/methodjit/PolyIC.cpp
>--- a/js/src/methodjit/PolyIC.cpp
>+++ b/js/src/methodjit/PolyIC.cpp
>@@ -819,17 +819,23 @@ class GetPropCompiler : public PICStubCo
>             Address proto(pic.objReg, offsetof(JSObject, proto));
>             do {
>                 tempObj = tempObj->getProto();
>                 // FIXME: we should find out why this condition occurs. It is probably
>                 // related to PICs on globals.
>                 if (!tempObj)
>                     return false;
>                 JS_ASSERT(tempObj);
>-                JS_ASSERT(tempObj->isNative());
>+
>+                /* 
>+                 * If there is a native along the prototype chain the shape is technically
>+                 * invalid.
>+                 */
>+                if (!tempObj->isNative())
>+                    return false;
> 

false will propagate a failure. You want something like, return disable("non-native prototype")

r=me with that fixed

(extra credit: fix wrong return value on that tempObj check above)
Attachment #461215 - Flags: review?(dvander) → review+
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/pic/bug582899.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: