Last Comment Bug 650912 - TI: Assertion failure: a->isProxy() && b->isProxy(), at jsobj.cpp:3654
: TI: Assertion failure: a->isProxy() && b->isProxy(), at jsobj.cpp:3654
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Brian Hackett (:bhackett)
:
Mentors:
Depends on:
Blocks: 619433 648321
  Show dependency treegraph
 
Reported: 2011-04-18 13:38 PDT by Jan de Mooij [:jandem] (PTO until July 31)
Modified: 2011-04-18 23:31 PDT (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Stack (11.06 KB, text/plain)
2011-04-18 13:52 PDT, Jan de Mooij [:jandem] (PTO until July 31)
no flags Details

Description Jan de Mooij [:jandem] (PTO until July 31) 2011-04-18 13:38:56 PDT
This is causing test failures on Mochitest-1 and Mochitest-other. 

I *think* this was introduced by bug 648321, objects a and b have different size. a is a proxy and b is a text node object.
Comment 1 Jan de Mooij [:jandem] (PTO until July 31) 2011-04-18 13:52:36 PDT
Created attachment 526818 [details]
Stack
Comment 2 Brian Hackett (:bhackett) 2011-04-18 14:05:16 PDT
Is object 'b' a non-native?  TradeGuts should work the same on both proxies and other non-natives so that assertion could just be weakened (no assertions in this area of the code at all when made the change IIRC, and looking at immediate callers was not enlightening).

Looking at this code again, this swap code from the bug 648321 patch is a total trainwreck.

- The numbers of fixed slots are swapped along with everything else (worked back when fixed slots were determined from the arena).
- We reuse the dynamic slots from the other object, but if that object had more fixed slots then the allocated size of its slots pointer will be smaller and we end up with buffer overflows (eeek!).
- After the capacity stuff gets fixed, we also need to clear slots above the other object's numSlots() with undefined.
Comment 3 Jan de Mooij [:jandem] (PTO until July 31) 2011-04-18 14:17:04 PDT
(In reply to comment #2)
> Is object 'b' a non-native?

js_DumpObject:

object 0x1b4aa460
class 0x1c8c4cf4 Text
flags:
proto <XPC_WN_ModsAllowed_NoCall_Proto_JSClass object at 0x1b4aa3b8>
parent <HTMLDocument object at 0x1b4aa2d8>
private 0x1c4ca120
reserved slots:
   0 (reserved) = undefined
properties:
Comment 4 Andreas Gal :gal 2011-04-18 14:56:20 PDT
If you fix stuff here please separate and land directly on TM.
Comment 5 Brian Hackett (:bhackett) 2011-04-18 15:08:06 PDT
These problems are with a patch that is up for review in bug 648321 and hasn't landed on TM yet.  The implementation of TradeGuts in TM currently is I think fine, but 648321 changes how objects are laid out and had to change this function.

I thought that at least when bug 584917 landed this situation wasn't possible (swap a non-native with a native outside of FixProxy), but it looks like that's changed.  It shouldn't be hard to handle this case though, we just need to make sure that any native object whose guts are swapped with one of different size is reshaped afterwards.
Comment 6 Brian Hackett (:bhackett) 2011-04-18 16:05:06 PDT
This should fix things.

http://hg.mozilla.org/projects/jaegermonkey/rev/425b3fcdbe41

Note You need to log in before you can comment on or make changes to this bug.