Closed Bug 698150 Opened 13 years ago Closed 13 years ago

[ObjShrink]: Assertion failure: type->canProvideEmptyShape(clasp), at ../jsobjinlines.h:1538

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

patch
7.88 KB, patch
luke
: review+
Details | Diff | Splinter Review 
The following testcase asserts on jaegermonkey revision b01eb1ba58ce (run with -m -n), tested on 64 bit:


gczeal(2);
var g1 = newGlobal('same-compartment');
var proxyStr = "Proxy.create(                                    "+
"  { getOwnPropertyDescriptor: function() assertEq(true,false),  "+
"    fix: function() assertEq(true,false), },                    "+
"  Object.prototype                                              "+
");                                                              ";
var proxy1 = g1.eval(proxyStr);
Version: Trunk → Other Branch
Summary: TI: Assertion failure: type->canProvideEmptyShape(clasp), at ../jsobjinlines.h:1538 → [ObjShrink]: Assertion failure: type->canProvideEmptyShape(clasp), at ../jsobjinlines.h:1538
Attached patch patchSplinter Review 
More fallout from changing strong references on new types to weak references.  When initializing certain standard classes, the VM makes sure to instantiate an empty shape for that class with an appropriate class.  Otherwise the class of the empty shapes associated with a type is that specified the first time an object is created with the proto.  This is a kind of goofy and long standing behavior and the VM's attempt to ensure the shapes are instantiated with the right class doesn't work when the shapes are only weakly held.

The patch changes things so that the empty shapes on the type must have the same class as the prototype.  This is vulnerable to creating pathological behavior when lots of objects get created with a mismatched class (they will all have separate shape lineages), but this design has always been subject to such problems.  I will measure and if lots of new empty shapes are being constructed because of mismatches here then the whole bit needs to be reworked.

https://hg.mozilla.org/projects/jaegermonkey/rev/daf591298f5d
Assignee: general → bhackett1024
Attachment #573299 - Flags: review?(luke)
https://hg.mozilla.org/projects/jaegermonkey/rev/daf591298f5d
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 573299 [details] [diff] [review]
patch

On the subject, EmptyShape::create implies a new empty shape is created (as is the case for all these *Object::create functions); could you name it EmptyShape::get instead?
Attachment #573299 - Flags: review?(luke) → review+
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: