620643 - JM: "Assertion failure: obj" with typed array

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jesse Ruderman]

Attachment: stack trace

./js -m

var a = new Int32Array(); +(a[0]={}); 

Assertion failure: obj, at js/src/jsval.h:487

Comment 1

[Jesse Ruderman]

Autobisect incorrectly blames rev 7b2fa4fb0e8f, a merge in August from TM to JM. Getting the correct regressing changeset would be difficult.

Comment 2

[Jesse Ruderman]

A more insane testcase triggers:

Assertion failure: v.toGCThing(), at js/src/jsgcinlines.h:535

Comment 3

[Brian Hackett [Laid off!]]

Attachment: patch

The problem is that stubs::SetElem calls setProperty but reuses the value it clobbers for the result of the SETELEM, rather than the original rvalue.  The rvalue is an object, setProperty changes it to undefined, JIT code thinks the result is still an object so ends up with a mangled Value.

I went through StubCalls.cpp and this is the only place this was done.

Comment 4

[David Mandelin [:dmandelin]]

Comment on attachment 499298 [details] [diff] [review]
patch

Thanks for the explanatory note. Could you also change the name 'retval' to 'rval' since it isn't actually the retval now (and of course wasn't truly before)?

Comment 5

[Brian Hackett [Laid off!]]

http://hg.mozilla.org/tracemonkey/rev/8a9c6231fd52

Comment 6

[Chris Leary [:cdleary] (not checking bugmail)]

http://hg.mozilla.org/mozilla-central/rev/8a9c6231fd52

Comment 7

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug620643.js.