Closed
Bug 728188
Opened 13 years ago
Closed 13 years ago
IonMonkey: Assertion failure: obj, at ../../jsval.h:534
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: jandem, Assigned: dvander)
References
Details
Attachments
(2 files)
11.79 KB,
patch
|
Details | Diff | Splinter Review | |
13.13 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes with --ion-eager -n:
--
delete String.prototype.indexOf;
function enterFunc (funcName) {
funcName.indexOf();
}
enterFunc(new Array("foo"));
enterFunc(new String("Foo"));
--
The problem is that the GetPropertyCacheT for funcName.indexOf has known "object" return type, but when enterFunc is called again the return type becomes "undefined" and the script is invalidated by the Monitor call. However, the bailout mechanism still thinks the return type must be "object" so we try to construct an invalid Value with "object" type tag and "undefined" payload.
Noticed this when investigating bug 728187.
Assignee | ||
Comment 1•13 years ago
|
||
Yuck. The problem is that GetPropertyCacheT can actually return a Value, we've just made the unbox operation implicit. I think the easiest way to fix this is to get rid of GetPropertyCacheT, and always have explicit unboxing. Then we can safely bail out in between the getprop and the unbox.
Brian, does that sound okay?
Assignee | ||
Comment 2•13 years ago
|
||
Not sure if this is the right thing yet, but fixes the bug.
Assignee: general → dvander
Status: NEW → ASSIGNED
Assignee | ||
Updated•13 years ago
|
Group: mozilla-confidential
Assignee | ||
Updated•13 years ago
|
Group: mozilla-confidential
Assignee | ||
Comment 3•13 years ago
|
||
This patch adds more code and is grosser than I hoped, since I had to work around various asserts. I'm not against this facility but it would be nice if we didn't need it.
Brian, how much do you think preserving GetPropertyCacheT will matter? Could we get a microbenchmark that has a lot of register pressure?
Comment 4•13 years ago
|
||
Something like this should have more register pressure (assuming m/n/p are hoisted into registers):
function foo(x, m, n, p) {
var res = 0;
for (var i = 0; i < m; i++)
res += n + p + x.f + x.g;
return res;
}
for (var i = 0; i < 10000; i++) {
x = {};
x.f = 1;
x.g = 1;
foo(x, 10000, 1, 1);
}
Assignee | ||
Comment 5•13 years ago
|
||
before --ion -n: 458ms
-m -n: 349ms
after --ion -n: 490ms
About a 6% difference, works for me!
Assignee | ||
Updated•13 years ago
|
Attachment #599835 -
Flags: review?(bhackett1024)
Updated•13 years ago
|
Attachment #599835 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 10•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 11•12 years ago
|
||
Flags: in-testsuite+
Comment 12•12 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•