861439 - Crash [@ js::UncheckedUnwrap] with bug 804676 fixes

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stacks

try {
    x = evalcx('')
    toSource = (function() {
        x = (new WeakMap).get(function() {})
    })
    valueOf = (function() {
        schedulegc(x)
    })
    this + ''
    for (v of this) {}
} catch (e) {}
gc()
this + 1

crashes js debug and opt shell on ionmonkey (where bug 804676 fixes landed for testing) changeset 79f78c194329 with --ion-eager and --no-baseline at js::UncheckedUnwrap

Comment 1

[Brian Hackett [Laid off!]]

I can't reproduce this.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to Brian Hackett (:bhackett) from comment #1)
> I can't reproduce this.

I can definitely reproduce with --enable-more-deterministic. 

sh ./configure --target=x86_64-apple-darwin11.4.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --with-ccache

Comment 3

[Brian Hackett [Laid off!]]

Attachment: patch

TypeObject property information doesn't reflect the initial undefined values for properties of singleton objects.  (This quirk allows better handling for global variables declared with 'var', which will have an undefined value before getting their real value.)  This wasn't being accounted for right when Ion was adding type barriers on property reads; this patch fixes that and commons the related logic a bit.

https://hg.mozilla.org/projects/ionmonkey/rev/75ff34ead9fc

Comment 4

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/75ff34ead9fc