RESOLVED DUPLICATE of bug 179734 157148
Assertion failure when accessing static class getter named "name" 
https://bugs.webkit.org/show_bug.cgi?id=157148
Summary Assertion failure when accessing static class getter named "name"
André Bargull
Reported 2016-04-28 13:13:11 PDT
SVN: rev200124 Build with: perl Tools/Scripts/build-jsc --gtk --debug The following test case triggers this assertion error: --- ASSERTION FAILED: !(attributes & ReadOnly) --- Test case: --- (class c { static get name(){ } }).name --- Stack trace: --- #0 0x00007ffff6e289ac in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:322 #1 0x000000000044cddf in JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1> (this=0x7fffaedbf580, vm=..., propertyName=..., value=..., attributes=6, slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1380 #2 0x00000000004461bd in JSC::JSObject::putDirect (this=0x7fffaedbf580, vm=..., propertyName=..., value=..., attributes=6) at ../../Source/JavaScriptCore/runtime/JSObject.h:1524 #3 0x00007ffff6bf47ce in JSC::JSFunction::reifyName (this=0x7fffaedbf580, exec=0x7fffffffcb60, name=...) at ../../Source/JavaScriptCore/runtime/JSFunction.cpp:630 #4 0x00007ffff6bf456a in JSC::JSFunction::reifyName (this=0x7fffaedbf580, exec=0x7fffffffcb60) at ../../Source/JavaScriptCore/runtime/JSFunction.cpp:612 #5 0x00007ffff6bf48fc in JSC::JSFunction::reifyLazyPropertyIfNeeded (this=0x7fffaedbf580, exec=0x7fffffffcb60, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSFunction.cpp:641 #6 0x00007ffff6bf2dcc in JSC::JSFunction::getOwnPropertySlot (object=0x7fffaedbf580, exec=0x7fffffffcb60, propertyName=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSFunction.cpp:395 #7 0x0000000000445d94 in JSC::JSObject::getNonIndexPropertySlot (this=0x7fffaedbf580, exec=0x7fffffffcb60, propertyName=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1320 #8 0x0000000000445919 in JSC::JSObject::getPropertySlot (this=0x7fffaedbf580, exec=0x7fffffffcb60, propertyName=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1262 #9 0x0000000000448de4 in JSC::JSValue::getPropertySlot (this=0x7fffffffc9c0, exec=0x7fffffffcb60, propertyName=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:785 #10 0x0000000000448ce0 in JSC::JSValue::get (this=0x7fffffffc9c0, exec=0x7fffffffcb60, propertyName=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:767 #11 0x00007ffff6a23ed4 in JSC::(anonymous namespace)::llint_slow_path_get_by_id (exec=0x7fffffffcb60, pc=0x7fffae9f3590) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:569 #12 0x00007ffff6a30587 in llint_entry () at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1037 #13 0x00007ffff6a2d895 in vmEntryToJavaScript () at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1037 #14 0x00007ffff69d46d2 in JSC::JITCode::execute (this=0x7ffff0d9c640, vm=0x7fffb09f1000, protoCallFrame=0x7fffffffcd30) at ../../Source/JavaScriptCore/jit/JITCode.cpp:80 #15 0x00007ffff6997f4f in JSC::Interpreter::execute (this=0x7ffff0def058, program=0x7fffaedfbf70, callFrame=0x7fffaede7940, thisObj=0x7fffaedba360) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:960 #16 0x00007ffff6b849ad in JSC::evaluate (exec=0x7fffaede7940, source=..., thisValue=..., returnedException=...) at ../../Source/JavaScriptCore/runtime/Completion.cpp:106 #17 0x000000000043a120 in runInteractive (globalObject=0x7fffaede7900) at ../../Source/JavaScriptCore/jsc.cpp:2083 #18 0x000000000043abcb in runJSC (vm=0x7fffb09f1000, options=...) at ../../Source/JavaScriptCore/jsc.cpp:2244 #19 0x000000000043b0a1 in jscmain (argc=1, argv=0x7fffffffdbb8) at ../../Source/JavaScriptCore/jsc.cpp:2293 #20 0x000000000043967f in main (argc=1, argv=0x7fffffffdbb8) at ../../Source/JavaScriptCore/jsc.cpp:1947 ---
Attachments
Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2016-05-26 05:31:56 PDT
We performed putDirect for static members, but in that case, we don't consider about non-JSObject cases (in this case, it is JSFunction). Then, we put "name" field forcefully. So later, JSFunction reify its "name" field, and fail.
André Bargull
Comment 2 2018-02-27 12:03:31 PST
Test case no longer reproduces at r228977.
Alexey Shvayka
Comment 3 2020-08-22 14:25:00 PDT
(In reply to André Bargull from comment #0) > Test case: > --- > (class c { static get name(){ } }).name > --- (In reply to André Bargull from comment #2) > Test case no longer reproduces at r228977. No reproduction at r265669 either. According to the ChangeLog, it was fixed in r224927. Test coverage: JSTests/stress/class-static-get-weird.js *** This bug has been marked as a duplicate of bug 179734 ***
Note You need to log in before you can comment on or make changes to this bug.