Closed Bug 620315 Opened 15 years ago Closed 15 years ago

"Assertion failure: unexpected constantly false guard detected" with "use strict", 4>this

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b9
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: jruderman, Assigned: Waldo)

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(3 files)

stack trace
3.83 KB, text/plain
Details
1 - Remove JSFUN_PRIMITIVE_THIS
12.80 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review
2 - Make JSFunction::inStrictMode assume isInterpreted()
2.95 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review
./js -j -m new Function('"use strict"; for (var j = 0; j < 9; ++j) { 4 > this; }')() Assertion failure: unexpected constantly false guard detected, at jstracer.cpp:4321
Attached file stack trace
The first bad revision is: changeset: 38cbd4e02afc user: Jeff Walden date: Tue Oct 12 11:50:03 2010 -0700 summary: Bug 514570 - 3 - Don't box |this| for strict mode functions. r=jorendorff
I thought we allowed constant-false guards....
blocking2.0: --- → ?
Assignee: general → jwalden+bmo
OS: Mac OS X → All
Hardware: x86 → All
I think this shouldn't block 2.0. Constantly false guards can cause sub-optimal performance but they aren't inherently incorrect or dangerous. dmandelin, can you mark it blocking2.x?
Why is this a fatal assert if it's not inherently incorrect?
new Function functions lack JSFUN_PRIMITIVE_THIS. You can also see the difference with this wrong behavior, interpreter-only (probably reproducible with methodjit too): var toString = function() { return 5; }; assertEq(new Function("'use strict'; return this > 4;")(), false); JSFUN_PRIMITIVE_THIS was misguided. It was introduced for natives, but natives always get it as I recall, so it's pointless. Detection based on it really should be for strict mode directly. This is type confusion (and wrong behavior moreover), so it should block.
(The effect is regs.fp->computeThis(cx) actually does computeThis here, when it shouldn't.)
(In reply to comment #6) > > Why is this a fatal assert if it's not inherently incorrect? Because it indicates poor code generation quality, and an assert is the easiest way to get people's attention. Can you think of a better alternative? (In reply to comment #7) > > This is type confusion (and wrong behavior moreover), so it should block. In that case, fair enough.
> Can you think of a better alternative? A debug printf that doesn't kill the browser and hence doesn't interfere with things like fuzz testing, say?
Well, maybe, though as this case shows it can be due to correctness issues as well. Do debug printfs tend to just get lost/ignored? That's my impression.
Sure; I was just basing my question on the "this is always safe" claims above...
blocking2.0: ? → -
I had both these patches finished a bit ago, left them running tests while I ran out to perform an errand -- might as well post them and get this fixed.
Attachment #499447 - Flags: review?
Looking at callers, I noticed most to all of them are already called on an interpreted function. It seems reasonable to push that check out to the two calling locations that explicitly need it, keep things a little bit thinner where we can.
Attachment #499449 - Flags: review?(dmandelin)
Attachment #499447 - Flags: review? → review?(dmandelin)
What's the risk level of landing these patches? I'm hesitant to move forward on nonblocking bugs at this point in case they cause regressions. (Also setting blocking to 2.x per comment 5, which I didn't see earlier.)
blocking2.0: - → .x
The former is code *removal* and simplification. Risk is low to start, and it's even lower because it makes the code smaller and clearer. The latter is even less risky -- just splitting up one very-trivial inline method into two separate calls at each caller, most of which already checked (or can trivially assume, e.g. that the function in question *being currently traced* must be interpreted) that the first such call already returned true, so need not be performed. In comment 7 I argue this is type confusion in the tracer and therefore should block. We only happened to trip over the particular assertion in the original report by dumb luck. You could easily go astray in other ways than just redundantly guarding here, and I am unwilling to give a limit for just how far astray you'd go.
...plus there are also behavioral differences between tracer and interpreter, and even flat-out bugs where we do things wrong regardless whether tracer, interpreter, or methodjit is configured.
OK, thanks for the clarification. Will review now.
blocking2.0: .x → betaN+
Attachment #499447 - Flags: review?(dmandelin) → review+
Comment on attachment 499449 [details] [diff] [review] 2 - Make JSFunction::inStrictMode assume isInterpreted() r+ with this addition: > inline bool > JSFunction::inStrictMode() const > { JS_ASSERT(isInterpreted()); >- return isInterpreted() && u.i.script->strictModeCode; >+ return script()->strictModeCode; > }
Attachment #499449 - Flags: review?(dmandelin) → review+
(In reply to comment #19) > r+ with this addition: > > > inline bool > > JSFunction::inStrictMode() const > > { > > JS_ASSERT(isInterpreted()); > > >- return isInterpreted() && u.i.script->strictModeCode; > >+ return script()->strictModeCode; > > } JSFunction::script() includes that assertion -- seems a nice readability win to rely on this, as I'm pretty sure we do elsewhere. Make sense?
(In reply to comment #20) > JSFunction::script() includes that assertion -- seems a nice readability win to > rely on this, as I'm pretty sure we do elsewhere. Make sense? Yes. I didn't know that.
http://hg.mozilla.org/tracemonkey/rev/f4c2edf5362e
Status: NEW → ASSIGNED
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla2.0b9
http://hg.mozilla.org/mozilla-central/rev/f4c2edf5362e
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: