Google Maps crash on tracemonkey branch (595365, precog a=jorendorff).

2010-09-11 23:55:25 -07:00 · 2010-09-11 23:55:25 -07:00 · 98386adf38
--- a/js/src/jspropertycache.cpp
+++ b/js/src/jspropertycache.cpp
@ -76,6 +76,15 @@ PropertyCache::fill(JSContext *cx, JSObject *obj, uintN scopeIndex, uintN protoI
        return JS_NO_PROP_CACHE_FILL;
    }

+    /*
+     * Dictionary-mode objects have unique shapes, so there is no way to cache
+     * a prediction of the next shape when adding.
+     */
+    if (adding && obj->inDictionaryMode()) {
+        PCMETER(add2dictfills++);
+        return JS_NO_PROP_CACHE_FILL;
+    }
+
    /*
     * Check for overdeep scope and prototype chain. Because resolve, getter,
     * and setter hooks can change the prototype chain using JS_SetPrototype
@ -442,6 +451,7 @@ PropertyCache::purge(JSContext *cx)
        P(rofills);
        P(disfills);
        P(oddfills);
+        P(add2dictfills);
        P(modfills);
        P(brandfills);
        P(noprotos);
--- a/js/src/jspropertycache.h
+++ b/js/src/jspropertycache.h
@ -176,6 +176,7 @@ class PropertyCache
    uint32              rofills;        /* set on read-only prop can't fill */
    uint32              disfills;       /* fill attempts on disabled cache */
    uint32              oddfills;       /* fill attempt after setter deleted */
+    uint32              add2dictfills;  /* fill attempt on dictionary object */
    uint32              modfills;       /* fill that rehashed to a new entry */
    uint32              brandfills;     /* scope brandings to type structural
                                           method fills */
--- a/js/src/jsscope.cpp
+++ b/js/src/jsscope.cpp
@ -1107,11 +1107,12 @@ JSObject::removeProperty(JSContext *cx, jsid id)

        /*
         * Remove shape from its non-circular doubly linked list, setting this
-         * object's shape first if shape is not lastProp so the updateShape(cx)
-         * after this if-else will generate a fresh shape for this scope.
+         * object's shape first so the updateShape(cx) after this if-else will
+         * generate a fresh shape for this scope. We need a fresh shape for all
+         * deletions, even of lastProp. Otherwise, a shape number can replay
+         * and caches may return get deleted DictionaryShapes! See bug 595365.
         */
-        if (shape != lastProp)
-            setOwnShape(lastProp->shape);
+        setOwnShape(lastProp->shape);

        Shape *oldLastProp = lastProp;
        shape->removeFromDictionary(this);
--- a/js/src/tests/js1_8_5/regress/jstests.list
+++ b/js/src/tests/js1_8_5/regress/jstests.list
@ -32,3 +32,5 @@ script regress-588339.js
 script regress-yarr-regexp.js
 script regress-592556-c35.js
 script regress-593256.js
+script regress-595365-1.js
+script regress-595365-2.js
--- a/js/src/tests/js1_8_5/regress/regress-595365-1.js
+++ b/js/src/tests/js1_8_5/regress/regress-595365-1.js
@ -0,0 +1,31 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/licenses/publicdomain/
+ */
+
+/*
+ * NB: this test hardcodes the value of MAX_PROPERTY_TREE_HEIGHT.
+ */
+var i = 0;
+function add0to64(o) {
+  o.p00 = ++i;o.p01 = ++i;o.p02 = ++i;o.p03 = ++i;o.p04 = ++i;o.p05 = ++i;o.p06 = ++i;o.p07 = ++i;
+  o.p10 = ++i;o.p11 = ++i;o.p12 = ++i;o.p13 = ++i;o.p14 = ++i;o.p15 = ++i;o.p16 = ++i;o.p17 = ++i;
+  o.p20 = ++i;o.p21 = ++i;o.p22 = ++i;o.p23 = ++i;o.p24 = ++i;o.p25 = ++i;o.p26 = ++i;o.p27 = ++i;
+  o.p30 = ++i;o.p31 = ++i;o.p32 = ++i;o.p33 = ++i;o.p34 = ++i;o.p35 = ++i;o.p36 = ++i;o.p37 = ++i;
+  o.p40 = ++i;o.p41 = ++i;o.p42 = ++i;o.p43 = ++i;o.p44 = ++i;o.p45 = ++i;o.p46 = ++i;o.p47 = ++i;
+  o.p50 = ++i;o.p51 = ++i;o.p52 = ++i;o.p53 = ++i;o.p54 = ++i;o.p55 = ++i;o.p56 = ++i;o.p57 = ++i;
+  o.p60 = ++i;o.p61 = ++i;o.p62 = ++i;o.p63 = ++i;o.p64 = ++i;o.p65 = ++i;o.p66 = ++i;o.p67 = ++i;
+  o.p70 = ++i;o.p71 = ++i;o.p72 = ++i;o.p73 = ++i;o.p74 = ++i;o.p75 = ++i;o.p76 = ++i;o.p77 = ++i;
+  o.p100 = ++i;
+  return o;
+}
+function add65th(o) {
+  o.p101 = ++i;
+}
+var o = add0to64({});
+add65th(o);
+delete o.p101;
+add65th(o);
+
+reportCompare(true, true, "don't crash");
--- a/js/src/tests/js1_8_5/regress/regress-595365-2.js
+++ b/js/src/tests/js1_8_5/regress/regress-595365-2.js
@ -0,0 +1,39 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/licenses/publicdomain/
+ */
+
+/*
+ * NB: this test hardcodes the value of MAX_PROPERTY_TREE_HEIGHT.
+ */
+var i = 0;
+function add0to64(o) {
+  o.p00 = ++i;o.p01 = ++i;o.p02 = ++i;o.p03 = ++i;o.p04 = ++i;o.p05 = ++i;o.p06 = ++i;o.p07 = ++i;
+  o.p10 = ++i;o.p11 = ++i;o.p12 = ++i;o.p13 = ++i;o.p14 = ++i;o.p15 = ++i;o.p16 = ++i;o.p17 = ++i;
+  o.p20 = ++i;o.p21 = ++i;o.p22 = ++i;o.p23 = ++i;o.p24 = ++i;o.p25 = ++i;o.p26 = ++i;o.p27 = ++i;
+  o.p30 = ++i;o.p31 = ++i;o.p32 = ++i;o.p33 = ++i;o.p34 = ++i;o.p35 = ++i;o.p36 = ++i;o.p37 = ++i;
+  o.p40 = ++i;o.p41 = ++i;o.p42 = ++i;o.p43 = ++i;o.p44 = ++i;o.p45 = ++i;o.p46 = ++i;o.p47 = ++i;
+  o.p50 = ++i;o.p51 = ++i;o.p52 = ++i;o.p53 = ++i;o.p54 = ++i;o.p55 = ++i;o.p56 = ++i;o.p57 = ++i;
+  o.p60 = ++i;o.p61 = ++i;o.p62 = ++i;o.p63 = ++i;o.p64 = ++i;o.p65 = ++i;o.p66 = ++i;o.p67 = ++i;
+  o.p70 = ++i;o.p71 = ++i;o.p72 = ++i;o.p73 = ++i;o.p74 = ++i;o.p75 = ++i;o.p76 = ++i;o.p77 = ++i;
+  o.p100 = ++i;
+  return o;
+}
+function add65th(o) {
+  o.p101 = ++i;
+}
+var o = add0to64({});
+var o2 = add0to64({});
+var o_shape64 = shapeOf(o);
+assertEq(o_shape64, shapeOf(o2));
+add65th(o);
+add65th(o2);
+var o_shape65 = shapeOf(o);
+assertEq(false, o_shape65 === shapeOf(o2));
+delete o.p101;
+assertEq(false, shapeOf(o) === o_shape64);
+add65th(o);
+assertEq(false, shapeOf(o) === o_shape65);
+
+reportCompare(true, true, "don't crash");