Closed Bug 857836 Opened 11 years ago Closed 11 years ago

Assertion failure: paTypeObject->getPropertyCount() == NumFixedSlots, at builtin/ParallelArray.cpp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
All
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla23
Tracking Flags:
Tracking Status
firefox20 --- unaffected
firefox21 --- unaffected
firefox22 --- fixed
firefox23 + fixed
firefox-esr17 --- unaffected

People

(Reporter: gkw, Assigned: shu)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

stack
8.34 KB, text/plain
Details
fix
1.33 KB, patch
bhackett1024
: review+
akeybl
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Attached file stack 
Function("\
    Proxy.create((function() {\
        return {\
            getOwnPropertyDescriptor: function() {},\
        };\
    }), ParallelArray.prototype);\
    __defineGetter__(\"x\", ParallelArray);\
    x;\
")()

asserts js debug shell on m-c changeset f20b0ce9e528 without any CLI arguments at Assertion failure: paTypeObject->getPropertyCount() == NumFixedSlots, at builtin/ParallelArray.cpp
Due to skipped revisions, the first bad revision could be any of:
changeset:   125553:8c6ec2899d89
user:        Vladimir Vukicevic
date:        Mon Mar 18 18:50:19 2013 -0400
summary:     b=851964; Odin/OSX, part 2. add BreakpadUserExceptionHandler support to breakpad; r=ted

changeset:   125554:fe29b2ae604b
user:        Vladimir Vukicevic
date:        Mon Mar 18 19:07:07 2013 -0400
summary:     b=851964; Odin/OSX, part 3. enable AsmJS on OSX by using new Breakpad user handler, r=luke

changeset:   125555:b00eb1ef1517
user:        Nicholas D. Matsakis
date:        Tue Mar 19 22:12:27 2013 -0400
summary:     Bug 829602 - Enable self-hosted parallelarray r=dvander,till

changeset:   125556:cfa733af8c86
user:        Boris Zbarsky
date:        Tue Mar 19 22:20:16 2013 -0400
summary:     Bug 852118 followup.  Fix the layout debugger to fix bustage

changeset:   125557:5a2d12a34466
user:        David Zbarsky
date:        Tue Mar 19 22:31:44 2013 -0400
summary:     Bug 846995 Part 1: Fix all the files that reference SVGAnimatedTransformList r=jwatt

changeset:   125558:d92e88a18263
user:        David Zbarsky
date:        Tue Mar 19 22:31:44 2013 -0400
summary:     Bug 846995 Part 2: Rename SVGAnimatedTransformList to nsSVGAnimatedTransformList r=jwatt

changeset:   125559:26f0d590a021
user:        David Zbarsky
date:        Tue Mar 19 22:31:44 2013 -0400
summary:     Bug 846995 Part 3: Rename DOMSVGAnimatedTransformList and kill nsISupports r=jwatt

changeset:   125560:b147c2b08372
user:        Nicholas Nethercote
date:        Mon Mar 11 22:43:23 2013 -0700
summary:     Bug 849367 (part 1) - Speed up TokenStream::matchChar().  r=jorendorff.

changeset:   125561:3924eba670bb
user:        Patrick McManus
date:        Tue Mar 19 21:27:25 2013 -0400
summary:     bug 767742 - close spdy sessions under total connection pressure r=honzab

changeset:   125562:4bb793ac828d
user:        Brian Hackett
date:        Tue Mar 19 20:53:47 2013 -0600
summary:     Bug 839209 - Relax CanFakeSync, r=dvander.

changeset:   125563:893a57ee94bf
user:        Christian Holler
date:        Wed Mar 20 03:58:09 2013 +0100
summary:     Bug 720070 - Add missing test for bug 720070. r=needed-tests

changeset:   125564:129ff7d52968
user:        Christian Holler
date:        Wed Mar 20 03:58:09 2013 +0100
summary:     Bug 718852 - Add missing test for bug 718852. r=needed-tests

changeset:   125565:053bb31882c4
user:        Christian Holler
date:        Wed Mar 20 03:58:09 2013 +0100
summary:     Bug 696748 - Add missing test for bug 696748. r=needed-tests

changeset:   125566:e051419897da
user:        Christian Holler
date:        Wed Mar 20 03:58:09 2013 +0100
summary:     Bug 593611 - Add missing test for bug 593611. r=needed-tests

changeset:   125567:f1c918eaacfa
user:        Christian Holler
date:        Wed Mar 20 03:58:09 2013 +0100
summary:     Bug 576891 - Add missing test for bug 576891. r=needed-tests

changeset:   125568:08dff7a8e784
user:        Christian Holler
date:        Wed Mar 20 03:58:09 2013 +0100
summary:     Bug 563243 - Add missing test for bug 563243. r=needed-tests

changeset:   125569:e8db09a9c66c
user:        Christian Holler
date:        Wed Mar 20 03:58:09 2013 +0100
summary:     Bug 558531 - Add missing test for bug 558531. r=needed-tests

changeset:   125570:edd1edc19f46
user:        Christian Holler
date:        Wed Mar 20 03:58:09 2013 +0100
summary:     Bug 572232 - Add missing test for bug 572232. r=needed-tests

changeset:   125571:1ea0203ab5fa
user:        Christian Holler
date:        Wed Mar 20 03:58:09 2013 +0100
summary:     Bug 566136 - Add missing test for bug 566136. r=needed-tests

changeset:   125572:7882cc0068e5
user:        Christian Holler
date:        Wed Mar 20 03:58:09 2013 +0100
summary:     Bug 616009 - Add missing test for bug 616009. r=needed-tests

changeset:   125573:5882acd59c33
user:        Phil Ringnalda
date:        Tue Mar 19 20:20:38 2013 -0700
summary:     Back out 26f0d590a021, d92e88a18263, 5a2d12a34466 (bug 846995) for not building

changeset:   125574:26653529ea8b
user:        Phil Ringnalda
date:        Tue Mar 19 21:44:48 2013 -0700
summary:     Back out fe29b2ae604b, 8c6ec2899d89 and 6b2f3cb031da (bug 851964) for test hangs


I'm guessing bug 829602 regressed this.
Blocks: 829602
Flags: needinfo?(nmatsakis)
Seems like a safe guess.  I can kind of imagine what's causing this, I'll look into it.
Flags: needinfo?(nmatsakis)
Assigning to Niko based on comment 2.
Assignee: general → nmatsakis
Status: NEW → ASSIGNED
Attached patch fixSplinter Review 
What causes the assertion is that we're trying to add definite properties to a TypeObject that's been marked unknownProperties(). The best part is how it gets marked here:

1) The Function constructor causes the script to be !compileAndGo, which causes us to not use a script/pc-specialized TypeObject for ParallelArrays.

2) The Proxy marks ParallelArray.prototype to be unknownProperties(), so when we try to construct a new ParallelArray, we get the unspecialized type object, which has been marked unknownProperties() due to the proxy.
Assignee: nmatsakis → shu
Attachment #737035 - Flags: review?(bhackett1024)
Attachment #737035 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/0867fa1dfe4b
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
This affects Firefox 22 as well (showed up on mozilla-aurora testing).
status-firefox20: --- → unaffected
status-firefox21: --- → unaffected
status-firefox22: --- → affected
status-firefox23: --- → fixed
status-firefox-esr17: --- → unaffected
Flags: needinfo?(shu)
Comment on attachment 737035 [details] [diff] [review]
fix

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 829602
User impact if declined: Crashes when using ParallelArrays with proxies
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): None
String or IDL/UUID changes made by this patch:
Attachment #737035 - Flags: approval-mozilla-aurora?
Flags: needinfo?(shu)
Attachment #737035 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.