Closed Bug 951213 Opened 11 years ago Closed 11 years ago

Assertion failure: canRemoveLastProperty(), at jsobjinlines.h:123

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla29

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(3 files, 1 obsolete file)

[crash-signature] Machine-readable crash signature
769 bytes, text/plain
Details
patch
3.59 KB, patch
jandem
: review+
Details | Diff | Splinter Review
updated
6.59 KB, patch
terrence
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision b980c2dee2e7 (run with --fuzzing-safe --ion-eager):


setObjectMetadataCallback(function(obj) {});
function foo(x, y) {
  this.g = x + y;
}
var a = 0;
var b = { valueOf: function() Object.defineProperty(Object.prototype, 'g', {}) };
var c = new foo(a, b);
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/bec71542c055
user:        Brian Hackett
date:        Sat Dec 14 16:29:43 2013 -0800
summary:     Bug 950118 - Don't allow the object metadata hook to reenter JS, r=jimb.

This iteration took 1.020 seconds to run.
Flags: needinfo?(bhackett1024)
Attached patch patch (obsolete) — Splinter Review 
The logic used when rolling back object properties when TI's definite properties analysis gets invalidated wasn't able to cope with objects that have metadata.  JSObjet::removeProperty is a more generic API that can cope with this case.
Assignee: nobody → bhackett1024
Attachment #8350374 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review 
Oops, wrong patch.
Attachment #8350374 - Attachment is obsolete: true
Attachment #8350374 - Flags: review?(jdemooij)
Attachment #8350376 - Flags: review?(jdemooij)
Attachment #8350376 - Flags: review?(jdemooij) → review+
Depends on: 945250
Attached patch updatedSplinter Review 
GGC builds break on the new testcase even without the patch.  This patch fixes GGC to handle the testcase and avoids expensive enabling/disabling of the nursery every time the metadata callback is invoked.

Note that not rekeying initial shape table entries for nursery metadata things won't lead to any incorrect behavior, though some extra shapes might end up being created.  The same holds for parent, but not proto --- |InitialShapeEntry::proto| should be fixed up, or subtly incorrect behavior (not crashes) could happen.  (If the same |proto| address is used for two different prototype objects then objects with different protos could have the same shape, which will confuse jitcode prototype-traversing caches.)  It would be best if this behaved like TypeObjectWithNewScriptEntry, though again this is a separate issue from this patch.
Attachment #8351494 - Flags: review?(terrence)
Comment on attachment 8351494 [details] [diff] [review]
updated

Review of attachment 8351494 [details] [diff] [review]:
-----------------------------------------------------------------

Great! r=me

The InitialShapeSet issue is worrisome. I'll file a bug.
Attachment #8351494 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/057498186852
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: