On Mon, Jul 14, 2014 at 6:48 PM, Bill McCloskey
<[email protected]> wrote:
> I don't know about the duplicate length shape, although we do a lot of
> weird stuff related to that, so it's not too surprising. Maybe it's
> something related to this?
> http://mxr.mozilla.org/mozilla-central/source/js/src/jsarray.cpp#679
I did some more digging, and that's not it.
The three cases I've seen like this are Array.length, Function.caller,
and 'Map Iterator'.next. (An aside: seriously, who chose to put a
space in a class name?)
In all three cases ObjectImpl::setFlag() gets called, which calls onto
Shape::replaceLastProperty(), which ends up "replacing" the shape by
creating one that's very similar but has a different flag... but the
original shape remains in the tree. This sounds dangerous but I don't
know if it's a bug or not.
I've included the relevant stack traces below, in case they're of interest.
Nick
'Map Iterator'.next:
#0 js::Shape::Shape (this=0x..., other=..., nfixed=4) at
../../../js/src/vm/Shape.h:1336
#1 0x... in js::Shape::Shape (this=0x..., other=..., nfixed=4) at
../../../js/src/vm/Shape.h:1347
#2 0x... in js::PropertyTree::getChild (this=0x..., cx=0x..., parentArg=0x...,
unrootedChild=...) at ../../../js/src/jspropertytree.cpp:190
#3 0x... in js::Shape::replaceLastProperty (cx=0x..., base=...,
proto=..., shape=...)
at ../../../js/src/vm/Shape.cpp:326
#4 0x... in js::Shape::setObjectFlag (cx=0x...,
flag=js::BaseShape::DELEGATE, proto=...,
last=0x...) at ../../../js/src/vm/Shape.cpp:1419
#5 0x... in js::ObjectImpl::setFlag (this=0x..., cx=0x..., flag_=8,
generateShape=js::ObjectImpl::GENERATE_SHAPE) at
../../../js/src/vm/Shape.cpp:1383
#6 0x... in JSObject::setDelegate (this=0x..., cx=0x...) at
../../../js/src/jsobj.h:268
#7 0x... in js::ExclusiveContext::getNewType (this=0x...,
clasp=0x... <(anonymous namespace)::MapIteratorObject::class_>,
proto=..., fun=0x...)
at ../../../js/src/jsinfer.cpp:3929
#8 0x... in js::NewObjectWithGivenProto (cxArg=0x...,
clasp=0x... <(anonymous namespace)::MapIteratorObject::class_>,
protoArg=..., parentArg=0x...,
allocKind=js::gc::FINALIZE_OBJECT4, newKind=js::GenericObject) at
../../../js/src/jsobj.cpp:1492
#9 0x... in js::NewObjectWithGivenProto (cx=0x...,
clasp=0x... <(anonymous namespace)::MapIteratorObject::class_>,
proto=..., parent=0x...,
newKind=js::GenericObject) at ../../../js/src/jsobjinlines.h:824
#10 0x... in js::NewObjectWithGivenProto (cx=0x...,
clasp=0x... <(anonymous namespace)::MapIteratorObject::class_>,
proto=0x..., parent=0x...,
newKind=js::GenericObject) at ../../../js/src/jsobjinlines.h:831
#11 0x... in (anonymous namespace)::MapIteratorObject::create
(cx=0x..., mapobj=..., data=0x...,
kind=js::MapObject::Entries) at ../../../js/src/builtin/MapObject.cpp:928
#12 0x... in js::MapObject::iterator_impl (cx=0x..., args=...,
kind=js::MapObject::Entries)
at ../../../js/src/builtin/MapObject.cpp:1366
#13 0x... in js::MapObject::entries_impl (cx=0x..., args=...)
at ../../../js/src/builtin/MapObject.cpp:1402
#14 0x... in JS::CallNonGenericMethod (cx=0x...,
Test=0x... <js::MapObject::is(JS::Handle<JS::Value>)>,
Impl=0x... <js::MapObject::entries_impl(JSContext*,
JS::CallArgs)>, args=...)
at ../../dist/include/js/CallNonGenericMethod.h:110
#15 0x... in js::MapObject::entries (cx=0x..., argc=0, vp=0x...)
at ../../../js/src/builtin/MapObject.cpp:1409
#16 0x... in js::CallJSNative (cx=0x...,
native=0x... <js::MapObject::entries(JSContext*, unsigned int,
JS::Value*)>, args=...)
at ../../../js/src/jscntxtinlines.h:230
#17 0x... in js::Invoke (cx=0x..., args=..., construct=js::NO_CONSTRUCT)
at ../../../js/src/vm/Interpreter.cpp:461
#18 0x... in Interpret (cx=0x..., state=...) at
../../../js/src/vm/Interpreter.cpp:2558
#19 0x... in js::RunScript (cx=0x..., state=...) at
../../../js/src/vm/Interpreter.cpp:408
#20 0x... in js::ExecuteKernel (cx=0x..., script=...,
scopeChainArg=..., thisv=...,
type=js::EXECUTE_GLOBAL, evalInFrame=..., result=0x...) at
../../../js/src/vm/Interpreter.cpp:616
#21 0x... in js::Execute (cx=0x..., script=..., scopeChainArg=..., rval=0x...)
at ../../../js/src/vm/Interpreter.cpp:652
#22 0x... in Evaluate (cx=0x..., obj=..., optionsArg=..., srcBuf=...,
rval=0x...)
at ../../../js/src/jsapi.cpp:4865
#23 0x... in Evaluate (cx=0x..., obj=..., options=...,
bytes=0x... "Object.defineProperty = null;\nvar std_isFinite =
isFinite;\nvar std_isNaN = isNaN;\nvar std_Array_indexOf =
ArrayIndexOf;\nvar std_Array_iterator = Array.prototype.iterator;\nvar
std_Array_join = Array.pr"..., length=134884,
rval=0x...) at ../../../js/src/jsapi.cpp:4904
#24 0x... in JS::Evaluate (cx=0x..., obj=..., options=...,
bytes=0x... "Object.defineProperty = null;\nvar std_isFinite =
isFinite;\nvar std_isNaN = isNaN;\nvar std_Array_indexOf =
ArrayIndexOf;\nvar std_Array_iterator = Array.prototype.iterator;\nvar
std_Array_join = Array.pr"..., length=134884,
rval=...) at ../../../js/src/jsapi.cpp:4942
#25 0x... in JSRuntime::initSelfHosting (this=0x..., cx=0x...)
at ../../../js/src/vm/SelfHosting.cpp:1032
Array.length:
#0 js::Shape::Shape (this=0x7fffdb402ad8, other=..., nfixed=0) at
../../../js/src/vm/Shape.h:1336
#1 0x00007ffff277e163 in js::Shape::Shape (this=0x7fffdb402ad8,
other=..., nfixed=0) at ../../../js/src/vm/Shape.h:1347
#2 0x00007ffff26ce1ab in js::PropertyTree::getChild
(this=0x7fffe4574a08, cx=0x7fffe451c340, parentArg=0x7fffdb402a88,
unrootedChild=...) at ../../../js/src/jspropertytree.cpp:190
#3 0x00007ffff28a8d84 in js::Shape::replaceLastProperty
(cx=0x7fffe451c340, base=..., proto=..., shape=...)
at ../../../js/src/vm/Shape.cpp:326
#4 0x00007ffff28ad07b in js::Shape::setObjectFlag (cx=0x7fffe451c340,
flag=js::BaseShape::NEW_TYPE_UNKNOWN, proto=...,
last=0x7fffdb402ab0) at ../../../js/src/vm/Shape.cpp:1419
#5 0x00007ffff28acf1e in js::ObjectImpl::setFlag
(this=0x7fffdb406080, cx=0x7fffe451c340, flag_=1024,
generateShape=js::ObjectImpl::GENERATE_NONE) at
../../../js/src/vm/Shape.cpp:1383
#6 0x00007ffff2636869 in JSObject::setNewTypeUnknown
(cx=0x7fffe451c340, clasp=0x7ffff546c598 <js::ArrayObject::class_>,
obj=...) at ../../../js/src/jsinfer.cpp:3844
#7 0x00007ffff1fd18ba in CreateArrayPrototype (cx=0x7fffe451c340,
key=JSProto_Array) at ../../../js/src/jsarray.cpp:3110
#8 0x00007ffff27eec8e in js::GlobalObject::resolveConstructor
(cx=0x7fffe451c340, global=..., key=JSProto_Array)
at ../../../js/src/vm/GlobalObject.cpp:150
#9 0x00007ffff27ee9d8 in js::GlobalObject::ensureConstructor
(cx=0x7fffe451c340, global=..., key=JSProto_Array)
at ../../../js/src/vm/GlobalObject.cpp:92
#10 0x00007ffff27efe4a in js::GlobalObject::initStandardClasses
(cx=0x7fffe451c340, global=...)
at ../../../js/src/vm/GlobalObject.cpp:274
#11 0x00007ffff28a63d9 in JSRuntime::initSelfHosting
(this=0x7fffdd494000, cx=0x7fffe451c340)
at ../../../js/src/vm/SelfHosting.cpp:991
#12 0x00007ffff25d5d3f in js::NewContext (rt=0x7fffdd494000,
stackChunkSize=8192) at ../../../js/src/jscntxt.cpp:199
#13 0x00007ffff25d5c5d in JS_NewContext (rt=0x7fffdd494000,
stackChunkSize=8192) at ../../../js/src/jsapi.cpp:769
#14 0x00007fffef561bb9 in XPCJSContextStack::InitSafeJSContext
(this=0x7ffff6c3c530)
at ../../../../js/xpconnect/src/XPCJSContextStack.cpp:168
#15 0x00007fffef5da174 in nsXPConnect::InitStatics () at
../../../../js/xpconnect/src/nsXPConnect.cpp:140
#16 0x00007fffef581f69 in xpcModuleCtor () at
../../../../js/xpconnect/src/XPCModule.cpp:13
#17 0x00007fffef4e2b55 in Initialize () at
../../../layout/build/nsLayoutModule.cpp:382
#18 0x00007fffed6ce3ad in nsComponentManagerImpl::KnownModule::Load
(this=0x7fffdde13800)
at ../../../xpcom/components/nsComponentManager.cpp:755
#19 0x00007fffed6cf1b2 in nsFactoryEntry::GetFactory (this=0x7fffdde12d60)
at ../../../xpcom/components/nsComponentManager.cpp:1779
#20 0x00007fffed6cfc2b in
nsComponentManagerImpl::CreateInstanceByContractID
(this=0x7ffff6c73840,
aContractID=0x7ffff2d961de <.L.str74>
"@mozilla.org/moz/jsloader;1", aDelegate=0x0, aIID=...,
aResult=0x7fffffffc180)
at ../../../xpcom/components/nsComponentManager.cpp:1080
#21 0x00007fffed6cb917 in
nsComponentManagerImpl::GetServiceByContractID (this=0x7ffff6c73840,
aContractID=0x7ffff2d961de <.L.str74>
"@mozilla.org/moz/jsloader;1", aIID=..., result=0x7fffffffc240)
at ../../../xpcom/components/nsComponentManager.cpp:1439
Function.caller:
#0 js::Shape::Shape (this=0x..., other=..., nfixed=4) at
../../../js/src/vm/Shape.h:1336
#1 0x00007ffff277e163 in js::Shape::Shape (this=0x7fffdb402a38,
other=..., nfixed=0) at ../../../js/src/vm/Shape.h:1347
#2 0x00007ffff26ce1ab in js::PropertyTree::getChild
(this=0x7fffe4576a08, cx=0x7fffe451c340, parentArg=0x7fffdb4029e8,
unrootedChild=...) at ../../../js/src/jspropertytree.cpp:190
#3 0x00007ffff28a8d84 in js::Shape::replaceLastProperty
(cx=0x7fffe451c340, base=..., proto=..., shape=...)
at ../../../js/src/vm/Shape.cpp:326
#4 0x00007ffff28ad07b in js::Shape::setObjectFlag (cx=0x7fffe451c340,
flag=js::BaseShape::NOT_EXTENSIBLE, proto=...,
last=0x7fffdb402a10) at ../../../js/src/vm/Shape.cpp:1419
#5 0x00007ffff28acf1e in js::ObjectImpl::setFlag
(this=0x7fffdb405a80, cx=0x7fffe451c340, flag_=16,
generateShape=js::ObjectImpl::GENERATE_SHAPE) at
../../../js/src/vm/Shape.cpp:1383
#6 0x00007ffff28acd03 in js::ObjectImpl::preventExtensions
(cx=0x7fffe451c340, obj=...) at ../../../js/src/vm/Shape.cpp:1355
#7 0x00007ffff26c65df in FinishObjectClassInit (cx=0x7fffe451c340,
ctor=..., proto=...) at ../../../js/src/jsobj.cpp:148
#8 0x00007ffff27ef1b8 in js::GlobalObject::resolveConstructor
(cx=0x7fffe451c340, global=..., key=JSProto_Object)
at ../../../js/src/vm/GlobalObject.cpp:191
#9 0x00007ffff27ee9d8 in js::GlobalObject::ensureConstructor
(cx=0x7fffe451c340, global=..., key=JSProto_Object)
at ../../../js/src/vm/GlobalObject.cpp:92
#10 0x00007ffff27efe4a in js::GlobalObject::initStandardClasses
(cx=0x7fffe451c340, global=...)
at ../../../js/src/vm/GlobalObject.cpp:274
#11 0x00007ffff28a63d9 in JSRuntime::initSelfHosting
(this=0x7fffdd494000, cx=0x7fffe451c340)
at ../../../js/src/vm/SelfHosting.cpp:991
#12 0x00007ffff25d5d3f in js::NewContext (rt=0x7fffdd494000,
stackChunkSize=8192) at ../../../js/src/jscntxt.cpp:199
#13 0x00007ffff25d5c5d in JS_NewContext (rt=0x7fffdd494000,
stackChunkSize=8192) at ../../../js/src/jsapi.cpp:769
#14 0x00007fffef561bb9 in XPCJSContextStack::InitSafeJSContext
(this=0x7ffff6c3c530)
at ../../../../js/xpconnect/src/XPCJSContextStack.cpp:168
#15 0x00007fffef5da174 in nsXPConnect::InitStatics () at
../../../../js/xpconnect/src/nsXPConnect.cpp:140
#16 0x00007fffef581f69 in xpcModuleCtor () at
../../../../js/xpconnect/src/XPCModule.cpp:13
#17 0x00007fffef4e2b55 in Initialize () at
../../../layout/build/nsLayoutModule.cpp:382
#18 0x00007fffed6ce3ad in nsComponentManagerImpl::KnownModule::Load()
() from /home/njn/moz/mi6/cd64/dist/bin/libxul.so
#19 0x00007fffed6cf1b2 in nsFactoryEntry::GetFactory (this=0x7fffdde12d60)
at ../../../xpcom/components/nsComponentManager.cpp:1779
#20 0x00007fffed6cfc2b in
nsComponentManagerImpl::CreateInstanceByContractID
(this=0x7ffff6c73840,
aContractID=0x7ffff2d961de <.L.str74>
"@mozilla.org/moz/jsloader;1", aDelegate=0x0, aIID=...,
aResult=0x7fffffffc180)
at ../../../xpcom/components/nsComponentManager.cpp:1080
#21 0x00007fffed6cb917 in
nsComponentManagerImpl::GetServiceByContractID (this=0x7ffff6c73840,
aContractID=0x7ffff2d961de <.L.str74>
"@mozilla.org/moz/jsloader;1", aIID=..., result=0x7fffffffc240)
at ../../../xpcom/components/nsComponentManager.cpp:1439
#22 0x00007fffed5c09de in CallGetService (aContractID=0x7ffff2d961de
<.L.str74> "@mozilla.org/moz/jsloader;1", aIID=...,
aResult=0x7fffffffc240) at
/home/njn/moz/mi6/xpcom/glue/nsComponentManagerUtils.cpp:67
_______________________________________________
dev-tech-js-engine-internals mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals
