Closed Bug 628334 Opened 12 years ago Closed 12 years ago

TM: Assertion failure: shape->hasDefaultSetter(), at ../jstracer.cpp:12207

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+

People

(Reporter: jandem, Assigned: jorendorff)

References

Details

(4 keywords, Whiteboard: [softblocker][fixed-in-tracemonkey])

Attachments

(2 files)

Stacktrace
1.20 KB, text/plain
Details
v1
3.71 KB, patch
gal
: review+
Details | Diff | Splinter Review 
--
var o = {};
o.watch("p", function() { });

for(var i=0; i<20; i++) {
    o.p = 123;
    delete o.p;
}
--
This asserts with -j:

Assertion failure: shape->hasDefaultSetter(), at ../jstracer.cpp:12207
The first bad revision is:
changeset:   60418:33c58d16d911
user:        Jason Orendorff <jorendorff@mozilla.com>
date:        Fri Jan 14 16:18:53 2011 -0600
summary:     Bug 559653 - Record assignment before the interpreter goes, mostly. This reduces record_SetPropHit to a narrower callback, record_AddProperty. r=brendan.
Blocks: 559653
Attached file Stacktrace 
Taking preliminarily, but it'll be hours before I get a chance to really look, so feel free to steal it. Looks like it might just be one of those silly "oh, i forgot watchpoints can happen" situations.
Assignee: general → jorendorff
blocking2.0: --- → ?
For this test case, nothing happens in opt mode. I think the bug is that in this particular combo of watchpoints and tracing, a setter could get skipped. Thus, softblocker. Let me know if I missed something and it is more serious.
blocking2.0: ? → final+
Whiteboard: softblocker
Blocks: 630996
Right. Actually the interpreter has a bug here too, bug 631305. Fortunately the watchpoint machinery is robust against it.

Fix coming.
Attached patch v1Splinter Review 
Straightforward.
Attachment #509511 - Flags: review?(gal)
Attachment #509511 - Flags: review?(gal) → review+
> IsWatchedProperty(JSContext *cx, const Shape *shape)
> {
>     if (shape->hasSetterValue()) {
>         JSObject *funobj = shape->setterObject();
>         if (!funobj || !funobj->isFunction())
>             return false;
> 
>         JSFunction *fun = GET_FUNCTION_PRIVATE(cx, funobj);

How about modernizing to use funobj->getFunctionPrivate() while you are here?

/be
http://hg.mozilla.org/tracemonkey/rev/ae1e00dc43b7
Whiteboard: softblocker → [softblocker][fixed-in-tracemonkey]
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.