Closed Bug 700501 Opened 8 years ago Closed 8 years ago

[ObjShrink] "Assertion failure: [infer failure] Missing type for arg 0: <0xf6b0aaa0>," or "Assertion failure: [infer failure] Missing type for arg 0: [0xf6c001c0],"

Categories

(Core :: JavaScript Engine, defect, critical)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

patch
10.64 KB, patch
luke
: review+
Details | Diff | Splinter Review 
Function.prototype.__proto__["p"] = 3
c = [].__proto__
c[5] = 3
Namespace.prototype.__proto__[4] = function() {}
gc()
Function("\
    {\
    function f(d) {}\
    for each(let z in[0]) {\
        f(z)\
    }\
    }\
")()

asserts js debug shell on JM changeset 1210706b4576 with -m, -a and -n at Assertion failure: [infer failure] Missing type for arg 0: <0xf6b0aaa0>,

This was found using a combination of jsfunfuzz and jandem's method fuzzer.
This may be related:

gc()
Function("\
    {\
    function g(f){}\
    for each(let w in[0,0,0,[]]) {\
        g(w)\
    }\
    }\
")()

Assertion failure: [infer failure] Missing type for arg 0: [0xf6c001c0],
Summary: [ObjShrink] "Assertion failure: [infer failure] Missing type for arg 0: <0xf6b0aaa0>," → [ObjShrink] "Assertion failure: [infer failure] Missing type for arg 0: <0xf6b0aaa0>," or "Assertion failure: [infer failure] Missing type for arg 0: [0xf6c001c0],"
Attached patch patchSplinter Review 
The default 'new' types of certain objects (Object.prototype, Array.prototype, Function.prototype) are required in several places to have unknown property types.  This broke with the object newType changes --- the object's new type is no longer a strong reference, and if it goes away and is recreated then the recreated type did not have unknown property types.  The fix adds a bit to the flags in the prototype's base shape to indicate whether default 'new' types created off the object need unknown properties.

https://hg.mozilla.org/projects/jaegermonkey/rev/493d52c0a104
Assignee: general → bhackett1024
Attachment #573059 - Flags: review?(luke)
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Duplicate of this bug: 700471
Duplicate of this bug: 700480
Duplicate of this bug: 700464
Duplicate of this bug: 698944
Comment on attachment 573059 [details] [diff] [review]
patch

Review of attachment 573059 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsinfer.cpp
@@ +5740,5 @@
> +    JSCompartment::NewTypeObjectSet &table = compartment()->newTypeObjects;
> +    if (table.initialized()) {
> +        JSCompartment::NewTypeObjectSet::Ptr p = table.lookup(this);
> +        if (p)
> +            MarkTypeObjectUnknownProperties(cx, *p);

if (JSCompartment::NewTypeObjectSet::Ptr p = ...)

::: js/src/jsobj.h
@@ +833,5 @@
> +    /*
> +     * Mark an object as requiring its default 'new' type to have unknown
> +     * properties. This is set for a few builtins like Object.prototype and
> +     * Array.prototype; several places in the VM require that the default
> +     * type for these objects have unknown contents.

Could you explain in more detail why some places in the VM requires this?  If its a dirty hack, you could point to the dependent sites which should have explanatory comments; if its a general invariant, you could describe it.
Attachment #573059 - Flags: review?(luke) → review+
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug700501.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.