Closed Bug 977011 Opened 6 years ago Closed 6 years ago

(ggc) Assertion failure: obj->isTenured() with object literals within a function

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla30

People

(Reporter: nbp, Assigned: nbp)

References

Details

Attachments

(1 file)

With a debug JS shell on x64, compiled with --enable-exact-rooting --enable-gcgenerational, the following test case:

load(libdir + 'bytecode-cache.js');
var test = "function f() { return { x: 2 }; }; f();";
evalWithCache(test, { assertEqBytecode: true });



assert with the following error message, while encoding the object within the function:

Assertion failure: obj->isTenured()

(gdb) bt
#0  0x00000000009d2636 in js::XDRObjectLiteral<(js::XDRMode)0> (xdr=0x7fffffff90d0, obj=(JSObject *) 0x7fffee503ba0 [object Object]) at gecko-dev/js/src/jsobj.cpp:1932
#1  0x00000000009dc92d in js::XDRScript<(js::XDRMode)0> (xdr=0x7fffffff90d0, enclosingScope=0x0, enclosingScript=0x7fffee16c128, fun=(JSFunction * const) 0x7fffee17fac0 [object Function "f"], scriptp=0x7fffee16c1f0) at gecko-dev/js/src/jsscript.cpp:941
#2  0x00000000008f91bc in js::XDRInterpretedFunction<(js::XDRMode)0> (xdr=0x7fffffff90d0, enclosingScope=0x0, enclosingScript=0x7fffee16c128, objp=(JSObject *) 0x7fffee17fac0 [object Function "f"]) at gecko-dev/js/src/jsfun.cpp:450
Attachment #8382157 - Flags: review?(jorendorff)
Comment on attachment 8382157 [details] [diff] [review]
Tenure JSOP_NEWOBJECT payload.

Review of attachment 8382157 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit-test/tests/xdr/trivial.js
@@ +34,5 @@
>  evalWithCache(test, { assertEqBytecode: true, assertEqResult : true });
> +
> +// code a function which has an object literal.
> +test = "function f() { return { x: 2 }; }; f();";
> +evalWithCache(test, { assertEqBytecode: true, assertEqResult : true });

I removed the "assertEqResult : true", as a new object is allocated every time.
Comment on attachment 8382157 [details] [diff] [review]
Tenure JSOP_NEWOBJECT payload.

Review of attachment 8382157 [details] [diff] [review]:
-----------------------------------------------------------------

Stealing review at Jason's request. I think pretty much everything created by the frontend and XDR initialization should be pre-tenured, so this should be fine. I'll file a follow-up to add assertions, since it seems this isn't true in practice.

::: js/src/frontend/BytecodeEmitter.cpp
@@ +5877,5 @@
>       */
>      RootedObject obj(cx);
>      if (bce->script->compileAndGo()) {
>          gc::AllocKind kind = GuessObjectGCKind(pn->pn_count);
> +        obj = NewBuiltinClassInstance(cx, &JSObject::class_, kind, MaybeSingletonObject);

Just use TenuredObject for this and remove the comment.
Attachment #8382157 - Flags: review?(jorendorff) → review+
https://hg.mozilla.org/mozilla-central/rev/2c0ffb315be3
Assignee: nobody → nicolas.b.pierron
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.