449666 - TM: Assertion failure: JSSTRING_IS_FLAT during trace recording

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Robert Sayre]

Hitting this on blogspot.com blogs

Comment 1

[Robert Sayre]

Attachment: native and JS stack traces

Comment 2

[Robert Sayre]

Attachment: test case

Comment 3

[Robert Sayre]

Attachment: shell test case

Comment 4

[Mike Shaver (:shaver emeritus)]

We have some parts that require flat strings, but they should be guarded, and I wouldn't expect to see quite that stack.

Comment 5

[Brendan Eich [:brendan]]

Easy to fix: tracer needs to js_InternNonIntElementId (as interpreter JSOP_GETELEM case code will shortly -- so tracer should update the stack slot to save a redundant intern'ing). Anyone want to grab this, it's easy?

/be

Comment 6

[Robert Sayre]

Attachment: fix

Comment 7

[Brendan Eich [:brendan]]

Comment on attachment 333103 [details] [diff] [review]
fix

>+        JSObject *obj = JSVAL_TO_OBJECT(l);
>+
>+        if (!js_InternNonIntElementId(cx, obj, r, &id))
>+            return false;

Looks good, only thought is to cut through the E4X fog by calling js_ValueToStringId instead (js_InternNonIntElementId takes obj only to check whether it's XML, and if not just calls js_ValueToStringId). We know r is a string here, not an object (not a QName, an E4X compound identifier). Modularity is secondary both given how tight the tracer is with the interpreter, and because we have weeded out non-string r cases already.

r=me with that if you buy it, else as is.

/be

Comment 8

[Robert Sayre]

http://hg.mozilla.org/index.cgi/tracemonkey/rev/537fe0d1d47e

Comment 9

[Bob Clary [:bc] (inactive)]

http://hg.mozilla.org/tracemonkey/rev/422f9867bff9
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-449666.js,v  <--  regress-449666.js
initial revision: 1.1