Last Comment Bug 774257 - IonMonkey: Assertion failure: !isOwn, at ion/IonBuilder.cpp:4997
: IonMonkey: Assertion failure: !isOwn, at ion/IonBuilder.cpp:4997
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
-- major (vote)
: ---
Assigned To: Eric Faust [:efaust]
: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
Reported: 2012-07-16 06:35 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 07:41 PST (History)
8 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Fix (1017 bytes, text/plain)
2012-07-16 21:20 PDT, Eric Faust [:efaust]
no flags Details
Fix (1.97 KB, patch)
2012-07-17 14:06 PDT, Eric Faust [:efaust]
dvander: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-07-16 06:35:51 PDT
The following testcase asserts on ionmonkey revision a29f6c635516 (run with --ion -n -m --ion-eager):

Object.defineProperty(Object.prototype, 'x', { 
    set: function() { evalcx('lazy'); } 
var obj = {};"x", function (id, oldval, newval) {});
for (var str in 'A') {
    obj.x = 1;
Comment 1 User image David Anderson [:dvander] 2012-07-16 14:16:38 PDT
Eric, this looks like setter/getter fallout - mind taking a look?
Comment 2 User image Eric Faust [:efaust] 2012-07-16 21:20:34 PDT
Created attachment 642860 [details]

When we mark an object as watched, we set it as having an own, configured property, which violated the invariant that the property be an own property of the type it's actually on.

Since it's actually unsafe to inline calls to setters on watched objects, we stop trying to do that, instead.
Comment 3 User image Eric Faust [:efaust] 2012-07-16 23:25:58 PDT
Comment on attachment 642860 [details]

This doesn't solve the problem all the way, as it only papers over the fact that the watch could be anywhere on the prototype chain between the object and the prototype which actually has the shape for that property.
Comment 4 User image Eric Faust [:efaust] 2012-07-17 14:06:42 PDT
Created attachment 643138 [details] [diff] [review]

New patch and tests in light of previous comment.
Comment 5 User image Eric Faust [:efaust] 2012-07-18 01:01:30 PDT
Comment 6 User image Christian Holler (:decoder) 2013-01-14 07:41:53 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug774257-1.js.

Note You need to log in before you can comment on or make changes to this bug.