Closed
Bug 628564
Opened 15 years ago
Closed 15 years ago
TM: "Assertion failure: hasInt32Repr(*vp),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | final+ |
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [softblocker][fixed-in-tracemonkey])
Attachments
(1 file)
|
6.25 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
function h() {
(function() {
x = x % 4
})()
}
x = 0
h()
for (a = 0; a < 12; ++a) {
if (a == 7) {
if (x) {} else {
__defineSetter__("x", Object.defineProperties)
}
}
}
asserts js debug shell on TM changeset 72cb2f4a893c with -j at Assertion failure: hasInt32Repr(*vp), but does not seem to crash on opt shells.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 54473:8deef18e795a
parent: 54471:f1912fe1996f
user: Brendan Eich
date: Tue Sep 21 00:04:25 2010 -0700
summary: Fix slot leak that leads to allocSlot assert botch (597945, r=jorendorff).
|
Reporter | |
Updated•15 years ago
|
blocking2.0: --- → ?
|
||
Updated•15 years ago
|
Assignee: general → pbiggar
|
||
Updated•15 years ago
|
blocking2.0: ? → final+
Whiteboard: softblocker
|
|
||
Comment 1•15 years ago
|
||
Further reduced:
x = 0
for (a = 0; a < 12; ++a) {
if (a == 7) {
if (!x) {
__defineSetter__("x", Object.defineProperties)
}
}
}
If I make the condition !y (after setting y to 0), it stops asserting.
|
|
Assignee | |
Comment 2•15 years ago
|
||
So this should be caught by the AbortRecordingIfUnexpectedGlobalWrite in js_DefineNativeProperty. However, this test is being skipped because
obj->containsSlot(shape->slot)
is false.
I'm not very familiar with property setting. Jason or Waldo: perhaps you know of a better place to stick AbortRecordingIfUnexpectedGlobalWrite?
|
||
Comment 3•15 years ago
|
||
The setter has no slot (shape->slot is SHAPE_INVALID_SLOT -- can you confirm?), so that test won't help. But we're replacing a shape for 'x' in the global object that did have a slot.
Seems to me that AbortRecordingIfUnexpectedGlobalWrite needs to happen unconditionally, but that long-named static inline from jstracer.h is a new one on me. At the top of js_DefineNativeProperty is a LeaveTraceIfGlobalObject. AbortRecording and LeaveTrace events must line up. Can we fold the latter into the former?
/be
|
|
||
Comment 4•15 years ago
|
||
If adding a setter that does not replace a slotful prop then there's no hazard, so we could be more precise and optimize better, based on checking the pre-shape if any (it's looked up here but not saved):
added = !obj->nativeContains(id);
uint32 oldShape = obj->shape();
. . .
/be
|
|
Assignee | |
Comment 5•15 years ago
|
||
(In reply to comment #3)
> but that long-named static inline from jstracer.h is a new one on me.
Its only used in 3 places, so the long name seemed justified. Also, I bet you knew immediately what it did ;-).
> AbortRecording and LeaveTrace events must line up. Can we fold the latter into
> the former?
The complication is that we need a slot to pass to AbortRecordingIfUnexpectedGlobalWrite, so we need to delay it until when we know the slot that is being changed.
|
|
||
Comment 6•15 years ago
|
||
(In reply to comment #5)
> (In reply to comment #3)
> > but that long-named static inline from jstracer.h is a new one on me.
>
> Its only used in 3 places, so the long name seemed justified. Also, I bet you
> knew immediately what it did ;-).
Hey, I didn't write "overlong" :-P. It's fine, but sometimes long names and comments are a warning sign of insufficient synthesis or minimization, or just unavoidable complexity (like this case).
> > AbortRecording and LeaveTrace events must line up. Can we fold the latter into
> > the former?
>
> The complication is that we need a slot to pass to
> AbortRecordingIfUnexpectedGlobalWrite, so we need to delay it until when we
> know the slot that is being changed.
So we need to know when we're redefining a slot-based property, whether to a new definition that's slotless, or just a new slotful data property. That says we must use nativeLookup and not just capture the boolean "added".
/be
|
|
Assignee | |
Comment 7•15 years ago
|
||
Like this?
|
|
||
Comment 8•15 years ago
|
||
Comment on attachment 508447 [details] [diff] [review]
patch
Nice. "existingShape" is a fine name, but right below is "uint32 oldShape" which makes me sad for not renaming shape-ids to something like (here) oldShapeId. r=me in any case.
/be
Attachment #508447 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 9•15 years ago
|
||
Hmm, I see. I went with "existing" because the Shape possibly pointed to by existingShape isn't itself being replaced or updated, so the old/new distinction didn't quite make sense. I guess this is what you mean by 'shape' vs. 'shape-id' (the latter referring to the uint32 associated with an object, right?). Perhaps just s/oldShape/oldShapeId/ ?
|
|
||
Comment 10•15 years ago
|
||
Don't worry about it -- something we can clean up later, not this patch.
/be
|
|
Assignee | |
Comment 11•15 years ago
|
||
Whiteboard: softblocker → [softblocker][fixed-in-tracemonkey]
|
||
Comment 12•15 years ago
|
||
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/09a7b1270012
|
|
||
Updated•15 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Comment 13•13 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug628564.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•