Last Comment Bug 774257 - IonMonkey: Assertion failure: !isOwn, at ion/IonBuilder.cpp:4997
: IonMonkey: Assertion failure: !isOwn, at ion/IonBuilder.cpp:4997
Status: RESOLVED FIXED
[jsbugmon:update]
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- major (vote)
: ---
Assigned To: Eric Faust [:efaust]
: general
Mentors:
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
 
Reported: 2012-07-16 06:35 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 07:41 PST (History)
8 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix (1017 bytes, text/plain)
2012-07-16 21:20 PDT, Eric Faust [:efaust]
no flags Details
Fix (1.97 KB, patch)
2012-07-17 14:06 PDT, Eric Faust [:efaust]
dvander: review+
Details | Diff | Review

Description Christian Holler (:decoder) 2012-07-16 06:35:51 PDT
The following testcase asserts on ionmonkey revision a29f6c635516 (run with --ion -n -m --ion-eager):


Object.defineProperty(Object.prototype, 'x', { 
    set: function() { evalcx('lazy'); } 
});
var obj = {};
obj.watch("x", function (id, oldval, newval) {});
for (var str in 'A') {
    obj.x = 1;
}
Comment 1 David Anderson [:dvander] 2012-07-16 14:16:38 PDT
Eric, this looks like setter/getter fallout - mind taking a look?
Comment 2 Eric Faust [:efaust] 2012-07-16 21:20:34 PDT
Created attachment 642860 [details]
Fix

When we mark an object as watched, we set it as having an own, configured property, which violated the invariant that the property be an own property of the type it's actually on.

Since it's actually unsafe to inline calls to setters on watched objects, we stop trying to do that, instead.
Comment 3 Eric Faust [:efaust] 2012-07-16 23:25:58 PDT
Comment on attachment 642860 [details]
Fix

This doesn't solve the problem all the way, as it only papers over the fact that the watch could be anywhere on the prototype chain between the object and the prototype which actually has the shape for that property.
Comment 4 Eric Faust [:efaust] 2012-07-17 14:06:42 PDT
Created attachment 643138 [details] [diff] [review]
Fix

New patch and tests in light of previous comment.
Comment 5 Eric Faust [:efaust] 2012-07-18 01:01:30 PDT
https://hg.mozilla.org/projects/ionmonkey/rev/9712a6f6b71c
Comment 6 Christian Holler (:decoder) 2013-01-14 07:41:53 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug774257-1.js.

Note You need to log in before you can comment on or make changes to this bug.