Closed Bug 861419 Opened 12 years ago Closed 12 years ago

Crash [@ js::ion::IonCompartment::flusher] with bug 804676 fixes

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Attachments

(2 files)

debug and opt stacks
10.94 KB, text/plain
Details
patch
1.28 KB, patch
dvander
: review+
Details | Diff | Splinter Review
Attached file debug and opt stacks
try { arguments.toSource = (function() { __proto__.y = x }) y = this print(x = 8) a = arguments for (v of this) {} } catch (e) {} function f() { y.a } f() f() y = 1[7] f() crashes js debug and opt shell on ionmonkey (where bug 804676 fixes landed for testing) changeset 79f78c194329 with --ion-eager at js::ion::IonCompartment::flusher
Flags: needinfo?(bhackett1024)
I can't reproduce this.
Flags: needinfo?(bhackett1024)
(In reply to Brian Hackett (:bhackett) from comment #1) > I can't reproduce this. I can definitely reproduce with --enable-more-deterministic. sh ./configure --target=x86_64-apple-darwin11.4.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --with-ccache
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
OK, that worked. When reading global names we didn't propagate values for the property in from its prototype, so that the added freeze constraint was triggered later on during compilation and compiled code was not invalidated at the right point. https://hg.mozilla.org/projects/ionmonkey/rev/a8d0317c24c1
Attachment #737246 - Flags: review?(dvander)
Flags: needinfo?(bhackett1024)
Comment on attachment 737246 [details] [diff] [review] patch Review of attachment 737246 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/IonBuilder.cpp @@ +5635,5 @@ > // The property has been reconfigured as non-configurable, non-enumerable > // or non-writable. > return jsop_getname(name); > } > + if (!propertyTypes->hasPropagatedProperty()) Could you put a comment above explaining what this condition means?
Attachment #737246 - Flags: review?(dvander) → review+
Add comment: https://hg.mozilla.org/projects/ionmonkey/rev/c946f7a39397
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: