Closed
Bug 453249
Opened 16 years ago
Closed 16 years ago
TM: "Assertion failure: s0->isQuad()"
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.9.1b1
People
(Reporter: jruderman, Assigned: brendan)
Details
(Keywords: assertion, testcase)
Attachments
(1 file, 1 obsolete file)
1.40 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
./js -j js> this.__proto__.a = 3; for (var j = 0; j < 4; ++j) { [a]; } Assertion failure: s0->isQuad(), at jstracer.cpp:460
Comment 1•16 years ago
|
||
This seems to fix the assertion. I'm not exactly sure if it's always right though.
Comment 2•16 years ago
|
||
Comment on attachment 337540 [details] [diff] [review] Fix? insCall modifies args, so don't put the lir call into there. Also, this is incorrect since box_jsval should get in a double, not an int. Try to find out where the int here comes from and do i2f there, not in box_jsval.
Attachment #337540 -
Flags: review?(gal) → review-
Updated•16 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b1
Comment 3•16 years ago
|
||
This fails: this.__proto__.a = 3; for (var j = 0; j < 4; ++j) { [a]; } This works: this.a = 3; for (var j = 0; j < 4; ++j) { [a]; } My best guess is that the property cache lookup doesn't guard that the hit is in the object itself and not in the prototype.
Assignee | ||
Comment 4•16 years ago
|
||
No, we guard just fine on the proto/scope coordinates but then test_property_cache_direct_slot forgot to insist on a direct slot for "get" ops such as name. We cannot handle a prototype property of the global object. I don't think this is a problem for benchmarks or real-world code. This patch makes us abort trace-recording cleanly. /be
Assignee: mrbkap → brendan
Attachment #337540 -
Attachment is obsolete: true
Attachment #338780 -
Flags: review?(gal)
Comment 5•16 years ago
|
||
Comment on attachment 338780 [details] [diff] [review] fix This is what I was suspecting. Pushing.
Attachment #338780 -
Flags: review?(gal) → review+
Comment 6•16 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/165b7a7b2e45
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 7•16 years ago
|
||
Oh, you meant *that* kind of "guard" :-P. Cool, the layering and logic check out now: only TraceRecorder::name calls TraceRecorder::test_property_cache_direct_slot, so all unqualified name refs (simple "get" uses as in this test, or a++, --a, and so on) require direct slots. Thanks for pushing. Are we closing now when changes hit tracemonkey? Probably ok so long as we sync with mozilla-central quickly. /be
Comment 8•16 years ago
|
||
We keep forgetting to close bugs otherwise.
Comment 9•16 years ago
|
||
I'm not sure I follow the trace-test here. Specifically, why is the function even needed? Just to give the test a name?
Comment 10•16 years ago
|
||
Yeah, basically. Didn't know a better way to test something that happened in the global scope. We could pass in the global object via this though. Not sure that would still trigger the bug?
Comment 11•16 years ago
|
||
Nah, no need to change anything. I was just checking to see whether I was missing something.
Comment 12•16 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-453249.js,v <-- regress-453249.js initial revision: 1.1 http://hg.mozilla.org/mozilla-central/rev/8a23de31b12a
Flags: in-testsuite+
Flags: in-litmus-
You need to log in
before you can comment on or make changes to this bug.
Description
•