Closed Bug 632778 Opened 14 years ago Closed 12 years ago

"Assertion failure: !((attrs ^ shape->attrs) & 0x40) || !(attrs & 0x40),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- .x+

People

(Reporter: jandem, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: js-triage-done)

Attachments

(2 files)

Stacktrace
(deleted), text/plain
Details
tests from testcases in comment 0 and comment 6
(deleted), patch
jorendorff
: review+
Details | Diff | Splinter Review
-- function f() { "use strict"; } g = wrap(f); Object.defineProperty(g, "arguments", {set: function(){}}); -- Asserts in debug builds (interpreter/JM/TM): Assertion failure: !((attrs ^ shape->attrs) & JSPROP_SHARED) || !(attrs & JSPROP_SHARED), at ../jsscope.cpp:1075
Severity: normal → critical
status2.0: --- → ?
Attached file Stacktrace (deleted) —
blocking2.0: --- → ?
status2.0: ? → ---
blocking2.0: ? → .x
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 51090:8acc48c670d5 user: Jeff Walden date: Mon Aug 02 23:52:12 2010 -0700 summary: Bug 514581 - ES5: fun.caller and fun.arguments must throw when fun is strict-mode code. r=jimb
Blocks: 514581
Found this as well, I have a test case without "use strict" if that is relevant :)
Whether or not it's relevant, please post it. :-) If it is relevant, it's more coverage. If it's not, it's a separate bug we should be sure to fix, although if so perhaps the fix might be better in a new bug.
I totally forgot this bug :) Here is the requested test case (tested on mozilla-inbound revision ec66137aed05 with options -j -m): o5 = Namespace; function f1(o) o6 = o5; function f4(o) { _var_ = o var prop = Object.getOwnPropertyNames(f4)[4]; Object.defineProperty(_var_, prop, { set: function () {}, }) } function f5(o) f1 = o.bind(); (function () { f1() f5(o6) o5 = wrap(f1) })(); f4(o5)
Comment 5 reduced: obj = wrap(Number.bind()); Object.defineProperty(obj, "caller", {set: function () {}});
Whiteboard: js-triage-needed
I can't take this, but I can see what's happening. Native objects are implemented in two "layers", a low-level physical layer (mostly in jsscope.cpp) and a sort of user-y API layer (mostly in jsobj.cpp). The former asserts things that the latter is supposed to enforce with a runtime check. Object.defineProperty on a transparent proxy calls JS_DefinePropertyById on the wrapped object. We end up in js::DefineNativeProperty, here: /* * If we are defining a getter whose setter was already defined, or * vice versa, finish the job via obj->changeProperty, and refresh the * property cache line for (obj, id) to map shape. */ if (!js_LookupProperty(cx, obj, id, &pobj, &prop)) return NULL; if (prop && pobj == obj) { shape = (const Shape *) prop; --> if (shape->isAccessorDescriptor()) { shape = obj->changeProperty(cx, shape, attrs, JSPROP_GETTER | JSPROP_SETTER, (attrs & JSPROP_GETTER) ? getter : shape->getter(), (attrs & JSPROP_SETTER) ? setter : shape->setter()); if (!shape) return NULL; } else { shape = NULL; } } The attrs of the function.caller property include JSPROP_GETTER and JSPROP_SETTER but not JSPROP_SHARED. So isAccessorDescriptor() returns true, but when we get down to the physical layer in jsscope.cpp, we assert that we aren't trying to turn a slotful property into a slotless one. It could be fixed by making this code check for more than just isAccessorDescriptor(), I guess. Maybe Jeff's willing to take this?
Whiteboard: js-triage-needed → js-triage-done
(In reply to Jason Orendorff [:jorendorff] from comment #6) > Comment 5 reduced: > > obj = wrap(Number.bind()); > Object.defineProperty(obj, "caller", {set: function () {}}); The assertion caused by this testcase as well as the one in comment 0 has mutated to: Assertion failure: !((attrs ^ shape->attrs) & 0x40) || !(attrs & 0x40),
Keywords: regression
OS: Mac OS X → All
Summary: Assertion failure: !((attrs ^ shape->attrs) & JSPROP_SHARED) || !(attrs & JSPROP_SHARED), at ../jsscope.cpp:1075 → "Assertion failure: !((attrs ^ shape->attrs) & 0x40) || !(attrs & 0x40),"
Version: unspecified → Trunk
Bug 750307 probably fixed this. The testcases in comment 0 and comment 6 no longer assert. autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 96576:2ddb6278d1de user: Jason Orendorff date: Wed Jun 13 03:11:18 2012 -0500 summary: Bug 750307 - "Assertion failure: isBoolean()" in RegExpObject::ignoreCase after redefining nonconfigurable data property. r=Waldo. Second landing, test change rs=bholley on IRC.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
I'm not sure if tests need r+ but running them through a second pair of eyes may be a good idea...
Attachment #636000 - Flags: review?(jorendorff)
Attachment #636000 - Flags: review?(jorendorff) → review+
Test backed out, thanks Luke for pointing this out: http://hg.mozilla.org/integration/mozilla-inbound/rev/627c49f46421 The testcase no longer gives an assert but according to Luke shows a TypeError instead (which I think is correct): "TypeError: can't redefine non-configurable property 'arguments'"
Flags: in-testsuite+
Landing take two: http://hg.mozilla.org/integration/mozilla-inbound/rev/172ffbd87b1b In the jit-test directory, I ran: python jit_test.py <path to js binary> bug632778-1.js bug632778-2.js and they passed. \o/ Thanks jorendorff for helping me out on IRC.
Flags: in-testsuite+
VERIFIED based on landed test.
Status: RESOLVED → VERIFIED
Updated tests to use test metalines instead, since they are in jit-test: http://hg.mozilla.org/integration/mozilla-inbound/rev/3bca687c261c
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: