The default bug view has changed. See this FAQ.

IonMonkey: Assertion failure: !isOwn, at ion/IonBuilder.cpp:4997

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
major
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Assigned: efaust)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Other Branch
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment, 1 obsolete attachment)

Fix
1.97 KB, patch
dvander
: review+
Details | Diff | Splinter Review
(Reporter)

Description

5 years ago
The following testcase asserts on ionmonkey revision a29f6c635516 (run with --ion -n -m --ion-eager):


Object.defineProperty(Object.prototype, 'x', { 
    set: function() { evalcx('lazy'); } 
});
var obj = {};
obj.watch("x", function (id, oldval, newval) {});
for (var str in 'A') {
    obj.x = 1;
}
Eric, this looks like setter/getter fallout - mind taking a look?
(Assignee)

Comment 2

5 years ago
Created attachment 642860 [details]
Fix

When we mark an object as watched, we set it as having an own, configured property, which violated the invariant that the property be an own property of the type it's actually on.

Since it's actually unsafe to inline calls to setters on watched objects, we stop trying to do that, instead.
Assignee: general → efaust
Status: NEW → ASSIGNED
Attachment #642860 - Flags: review?(dvander)
(Assignee)

Comment 3

5 years ago
Comment on attachment 642860 [details]
Fix

This doesn't solve the problem all the way, as it only papers over the fact that the watch could be anywhere on the prototype chain between the object and the prototype which actually has the shape for that property.
Attachment #642860 - Attachment is obsolete: true
Attachment #642860 - Flags: review?(dvander)
(Assignee)

Comment 4

5 years ago
Created attachment 643138 [details] [diff] [review]
Fix

New patch and tests in light of previous comment.
Attachment #643138 - Flags: review?(dvander)
Attachment #643138 - Flags: review?(dvander) → review+
(Assignee)

Comment 5

5 years ago
https://hg.mozilla.org/projects/ionmonkey/rev/9712a6f6b71c
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 6

4 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug774257-1.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.