Closed
Bug 597945
Opened 15 years ago
Closed 15 years ago
"Assertion failure: getSlot(slot).isUndefined(),"
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla2.0b7
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | beta7+ |
People
(Reporter: gkw, Assigned: brendan)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
4.44 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
function b(foo) {
delete foo.d
delete foo.w
foo.d = true
foo.w = Object
delete Object.defineProperty(foo, "d", ({
set: Math.w
})); {}
}
for each(e in [arguments, arguments]) {
try {
b(e)('')
} catch (e) {}
}
asserts js debug shell on TM changeset 3559d9fded5f without -m nor -j at Assertion failure: getSlot(slot).isUndefined(),
|
Reporter | |
Updated•15 years ago
|
blocking2.0: --- → ?
|
|
Reporter | |
Comment 1•15 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 53414:b1facf8ba54e
user: Brendan Eich
date: Thu Sep 02 14:50:44 2010 -0700
summary: Eliminate JSObject::freeslot via monotonic lastProp->freeslot (592556, r=jorendorff,dvander).
Blocks: 592556
|
|
||
Comment 2•15 years ago
|
||
To start with, this fails:
var a = {d:true};
Object.defineProperty(a, "d", {set: undefined});
delete a.d;
assertEq(a.hasOwnProperty("d"), true);
Waldo might want to take a look and see why his megatest didn't catch this.
|
|
||
Comment 3•15 years ago
|
||
And here's the crashing version of that, minimized from comment 0.
var a = {d: true, w: true};
Object.defineProperty(a, "d", {set: undefined});
delete a.d;
delete a.w;
a.d = true;
|
|
Assignee | |
Comment 4•15 years ago
|
||
(In reply to comment #2)
> To start with, this fails:
>
> var a = {d:true};
> Object.defineProperty(a, "d", {set: undefined});
> delete a.d;
> assertEq(a.hasOwnProperty("d"), true);
>
> Waldo might want to take a look and see why his megatest didn't catch this.
Whoa:
js> Object.defineProperty(a, "d", {set: undefined});
({})
js> Object.getOwnPropertyDescriptor(a, "d")
({get:(void 0), set:(void 0), enumerable:true, configurable:true})
Why are enumerable and configurable defaulting to true?
Debugging a bit, the |var a = {d:true}| makes an object with enumerable, writable, configurable 'd'. The Object.defineProperty(a, "d", {set:undefined}) call then sets up a PropDesc with attrs SHARED | SETTER | PERMANENT | READONLY, which check out.
But then DefinePropertyOnObject computes a changed mask thus:
2222 uintN changed = 0;
(gdb)
2223 if (desc.hasConfigurable)
(gdb)
2225 if (desc.hasEnumerable)
(gdb)
2227 if (desc.hasGet)
(gdb)
2229 if (desc.hasSet)
(gdb)
2230 changed |= JSPROP_SETTER | JSPROP_SHARED;
(gdb) p/x desc.attrs
$7 = 0x66
(gdb) p/x changed
$9 = 0x60
(gdb) n
2232 attrs = (desc.attrs & changed) | (shape->attributes() & ~changed);
(gdb) n
2233 if (desc.hasGet) {
(gdb) p/x attrs
$10 = 0x61
We have lost PERMANENT and READONLY, aka not-configurable and not-writable, even though these are the defaults, and the PropDesc's attrs had them right.
Waldo around? This needs a bug, pronto.
/be
|
|
Assignee | |
Comment 5•15 years ago
|
||
Filed bug 598164 on the Object.defineProperty problem.
/be
|
|
Assignee | |
Comment 6•15 years ago
|
||
This is in the way of my fix for bug 595805.
Separating slot allocation and putting it a layer up from shape change looks better all the time.
/be
|
|
Assignee | |
Comment 7•15 years ago
|
||
(In reply to comment #5)
> Filed bug 598164 on the Object.defineProperty problem.
Now RESOLVED INVALID. I was burned by the issue Jeff brought up (too late but it's a good point) on es-discuss: Object.defineProperty is really two APIs in one: createProperty and changeProperty.
/be
|
|
Assignee | |
Updated•15 years ago
|
|
|
Assignee | |
Updated•15 years ago
|
|
|
||
Updated•15 years ago
|
Attachment #476937 -
Flags: review?(jorendorff) → review+
|
|
Assignee | |
Comment 8•15 years ago
|
||
Whiteboard: fixed-in-tracemonkey
|
||
Comment 9•15 years ago
|
||
I backed this out because it was failing a 597945-1.js on all platforms. probably something simple, but other stuff needs merging.
REFTEST TEST-UNEXPECTED-FAIL | file:///home/cltbld/talos-slave/tracemonkey_fedora-debug_test-jsreftest/build/jsreftest/tests/jsreftest.html?test=js1_8_5/regress/regress-597945-1.js | Unknown file:///home/cltbld/talos-slave/tracemonkey_fedora-debug_test-jsreftest/build/jsreftest/tests/js1_8_5/regress/regress-597945-1.js:16: arguments is not defined item 1
blocking2.0: ? → beta7+
Whiteboard: fixed-in-tracemonkey
|
|
Assignee | |
Comment 10•15 years ago
|
||
Sorry about that -- fuzzer generated global arguments usage and I missed it. Just needed a shell-only incantation in jstests.list:
http://hg.mozilla.org/tracemonkey/rev/28428a30999f
/be
Whiteboard: fixed-in-tracemonkey
|
|
||
Comment 11•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Comment 12•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/tests/js1_8_5/regress/regress-597945-1.js.
Flags: in-testsuite+
|
|
Reporter | |
Comment 13•12 years ago
|
||
Testcases have been landed by virtue of being marked in-testsuite+ -> VERIFIED as well.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•