656252 - TI: Crash [@ js::mjit::Compiler::arrayPrototypeHasIndexedProperty] or "Assertion failure: !unknownProperties(),"

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stacks

o14 = [undefined].__proto__
function f18() {
  try {
    [] = o[p]
  } catch (e) {}
}
for (var i;; i++) {
  ({
    x: function() {
      return eval("o14")
    }
  }.x().__proto__ = null);
  f18()
}

crashes js opt shell on JM changeset fd1abc43d698 with -m and -n at js::mjit::Compiler::arrayPrototypeHasIndexedProperty and asserts js debug shell at Assertion failure: !unknownProperties(),

Comment 1

[Christian Holler (:decoder)]

I get the same assertion (Assertion failure: !unknownProperties(), at ../jsinferinlines.h:1215) with the following test (options -m -n -a) on 64 bit:


function toPrinted(value) digits[0xf];
function reportCompare(expected, actual, description) + ++toPrinted() + "'";
var summary = 'Dense Arrays and holes';
var actual = '';
Array.prototype[true] = 'bar';
expect = 'foo,bar,baz';
reportCompare(expect, actual, summary);

Comment 2

[Brian Hackett [Laid off!]]

Needed to test Array.prototype for unknown properties before seeing if it has indexed properties.  This is an older issue exposed by the recent change to how object flags are tested for (in the push/pop patch).  For type sets which don't contain objects at all, we shouldn't be emitting paths based on certain object flags like dense/packed arrays.

http://hg.mozilla.org/projects/jaegermonkey/rev/20d04cc7ca8a

Comment 3

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug656252.js.