Closed Bug 727223 Opened 12 years ago Closed 12 years ago

"Assertion failure: !obj->isBlock(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla13

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

stack
1.89 KB, text/plain
Details
patch
2.62 KB, patch
dvander
: review+
Details | Diff | Splinter Review
Attached file stack 
try {
    mjitChunkLimit(1)
    function x() {}
} catch (e) {}
(function() {
    for (let c in [0, 0, 0]) {
        let c
        for (y in decodeURI()) {
            (function() {
                c
            }())
        }
    }
}())

asserts js debug shell on m-c changeset ebafee0cea36 with -m, -n and -a when the testcase is passed in as a CLI argument, at Assertion failure: !obj->isBlock(). Tested on 32-bit 10.6 js shell.

Guessing related to chunk patch in bug 706914 due to presence of mjitChunkLimit.
Attached patch patchSplinter Review 
This is actually an old bug in the BINDNAME IC (not sure how old, but seems to predate objshrink).  It tests shapes incorrectly (testing the scope's shape twice, and then off by one going up to the object.  This normally means it will miss, but it can get spurious hits when adjacent objects on the scope chain have identical shapes.  Not quite sure why mjitChunkLimit is required, but I think a specific order of invalidation/compilation is required for this testcase to assert.
Attachment #597979 - Flags: review?(dvander)
Comment on attachment 597979 [details] [diff] [review]
patch

Review of attachment 597979 [details] [diff] [review]:
-----------------------------------------------------------------

Bleh. Nice catch.
Attachment #597979 - Flags: review?(dvander) → review+
Comment on attachment 597979 [details] [diff] [review]
patch

Review of attachment 597979 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/methodjit/PolyIC.cpp
@@ +1770,5 @@
> +            JSObject *tobj = &scopeChain->asScope().enclosingScope();
> +            Address parent(pic.objReg, ScopeObject::offsetOfEnclosingScope());
> +            while (tobj) {
> +                if (!IsCacheableNonGlobalScope(tobj))
> +                    return disable("non-cacheable obj in scope chain");

AFAICS this no longer calls IsCacheableNonGlobalScope for the first link on the scope chain, right? I'm working on a BINDNAME IC for IonMonkey (bug 728311) so I'm investigating what JM does.
Yeah, IsCacheableNonGlobalScope should be tested for all objects on the scope chain.  I'll fix this before checking in.  I don't know whether it actually matters --- 'with' objects won't be the topmost object, since JSOP_WITH isn't compiled, but there could be problems with non-global scopes for event handlers and such.
You might want to check-in the test case.
https://hg.mozilla.org/mozilla-central/rev/8610a9da1742
Assignee: general → bhackett1024
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
Gary, don't suppose you could check in the testcase? :-)
Status: RESOLVED → REOPENED
Flags: in-testsuite?
Resolution: FIXED → ---
Thank you :-)
https://hg.mozilla.org/mozilla-central/rev/325746d17f50
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
Test was landed in testsuite. -> VERIFIED
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: