Closed Bug 774257 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: !isOwn, at ion/IonBuilder.cpp:4997

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Assigned: efaust)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file, 1 obsolete file)

The following testcase asserts on ionmonkey revision a29f6c635516 (run with --ion -n -m --ion-eager):


Object.defineProperty(Object.prototype, 'x', { 
    set: function() { evalcx('lazy'); } 
});
var obj = {};
obj.watch("x", function (id, oldval, newval) {});
for (var str in 'A') {
    obj.x = 1;
}
Eric, this looks like setter/getter fallout - mind taking a look?
Attached file Fix (obsolete) —
When we mark an object as watched, we set it as having an own, configured property, which violated the invariant that the property be an own property of the type it's actually on.

Since it's actually unsafe to inline calls to setters on watched objects, we stop trying to do that, instead.
Assignee: general → efaust
Status: NEW → ASSIGNED
Attachment #642860 - Flags: review?(dvander)
Comment on attachment 642860 [details]
Fix

This doesn't solve the problem all the way, as it only papers over the fact that the watch could be anywhere on the prototype chain between the object and the prototype which actually has the shape for that property.
Attachment #642860 - Attachment is obsolete: true
Attachment #642860 - Flags: review?(dvander)
Attached patch FixSplinter Review
New patch and tests in light of previous comment.
Attachment #643138 - Flags: review?(dvander)
Attachment #643138 - Flags: review?(dvander) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/9712a6f6b71c
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug774257-1.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.