The default bug view has changed. See this FAQ.

IonMonkey: Assertion failure: obj->unknownProperties(), at jsinfer.cpp:1635

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
major
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Assigned: dvander)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Other Branch
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase asserts on ionmonkey revision 6688ede89a36 (run with --ion -n -m):


function TestCase(n, d, e, a) {}
function reportCompare (expected, actual, description) {
  var testcase = new TestCase("unknown-test-name", description, expected, actual);
}
var status = 'Testing scope after changing obj.__proto__';
function test() {
  let ( actual = [ ]  ) TestCase   .__proto__ = null;
  reportCompare (expect, actual, status);
}
var actual = 'error';
var expect = 'error';
for (i = 0; i < 100000; i++)  {
  test();
}
(Assignee)

Comment 1

5 years ago
Brian, it looks like IonMonkey calls TypeSet::WatchObjectStateChange on the callee when inlining a function. The comment just says it's to "trigger invalidation of the caller".

I don't see a similar call in JM+TI, and the call is failing assert that the callee doesn't have unknown properties.

What's the right fix here? Should we just drop the call to WatchObjectStateChange?
When inlining one function into another the caller needs to be sensitive to changes in type information in the callee which are not explicitly associated with freeze constraints.  e.g., if a type barrier suddenly appears at an opcode then both the script containing that opcode and any other scripts it was inlined into will need to be recompiled.

JM does this using HasObjectFlags(..., OBJECT_FLAG_UNINLINEABLE), which will trigger recompilation both on one of the changes above and in changes to the UNINLINEABLE flag.  IM doesn't care about the UNINLINEABLE flag, but using WatchObjectStateChange will still catch the above cases, and it will need to be called for each inlined callee.  I think that the fix should be to just not inline callees whose properties are totally unknown.  This will almost never happen with scripted functions, and does so in this case because of the assignment to __proto__.
(Assignee)

Comment 3

5 years ago
Created attachment 641634 [details] [diff] [review]
fix

Okay, thanks for the explanation.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #641634 - Flags: review?(bhackett1024)
Attachment #641634 - Flags: review?(bhackett1024) → review+
(Assignee)

Comment 4

5 years ago
http://hg.mozilla.org/projects/ionmonkey/rev/243f0d95967e
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 5

4 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug770332.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.