Closed Bug 980013 Opened 10 years ago Closed 10 years ago

Assertion failure: res.isInt32(), at jit/BaselineIC.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(2 files)

stack
7.57 KB, text/plain
Details
patch
2.09 KB, patch
luke
: review+
Details | Diff | Splinter Review
Attached file stack 
x = new Uint8ClampedArray;
x.__proto__ = {};
Object.defineProperty(this, "y", {
    get: function() {
        return x.length;
    }
});
y;

asserts js debug shell on m-c changeset 714c8927d6af with --baseline-eager --ion-parallel-compile=off at Assertion failure: res.isInt32(), at jit/BaselineIC.cpp

My configure flags are:

CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --with-ccache --disable-threadsafe

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20140304112656" and the hash "703bd71926e4".
The "bad" changeset has the timestamp "20140304114257" and the hash "78fa90a29c43".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=703bd71926e4&tochange=78fa90a29c43


Setting [fuzzblocker] because this is happening very often.

Only bug 695438 is in that list, bhackett, is it a likely regressor?
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review 
I don't know if 'length' is supposed to be an 'own' property of typed arrays or not, but fwiw d8 only seems to have them on the prototype.
Assignee: nobody → bhackett1024
Attachment #8386866 - Flags: review?(luke)
Flags: needinfo?(bhackett1024)
Attachment #8386866 - Flags: review?(luke) → review+
(In reply to Brian Hackett (:bhackett) from comment #1)
> I don't know if 'length' is supposed to be an 'own' property of typed arrays
> or not, but fwiw d8 only seems to have them on the prototype.

http://people.mozilla.org/~jorendorff/es6-draft.html#sec-get-%typedarray%.prototype.length

so length is a getter accessor on the prototype.  (If we had length as an own property before, that's just because we hadn't updated yet.)  So the full fix here would be to add that accessor and rip out all implementation of "length" as an own property.
OK, then structurally we're already doing the right thing: |length| is a property only on typed array prototypes, not on the instances, so changing a typed array's __proto__ changes the meaning of that property access.

https://hg.mozilla.org/integration/mozilla-inbound/rev/6f8ea87eb8d1
https://hg.mozilla.org/mozilla-central/rev/6f8ea87eb8d1
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: