Closed
Bug 453249
Opened 16 years ago
Closed 16 years ago
TM: "Assertion failure: s0->isQuad()"
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.9.1b1
People
(Reporter: jruderman, Assigned: brendan)
Details
(Keywords: assertion, testcase)
Attachments
(1 file, 1 obsolete file)
|
1.40 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
./js -j
js> this.__proto__.a = 3; for (var j = 0; j < 4; ++j) { [a]; }
Assertion failure: s0->isQuad(), at jstracer.cpp:460
|
||
Comment 1•16 years ago
|
||
This seems to fix the assertion. I'm not exactly sure if it's always right though.
|
||
Comment 2•16 years ago
|
||
Comment on attachment 337540 [details] [diff] [review] Fix? insCall modifies args, so don't put the lir call into there. Also, this is incorrect since box_jsval should get in a double, not an int. Try to find out where the int here comes from and do i2f there, not in box_jsval.
Attachment #337540 -
Flags: review?(gal) → review-
|
||
Updated•16 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b1
|
|
||
Comment 3•16 years ago
|
||
This fails:
this.__proto__.a = 3; for (var j = 0; j < 4; ++j) { [a]; }
This works:
this.a = 3; for (var j = 0; j < 4; ++j) { [a]; }
My best guess is that the property cache lookup doesn't guard that the hit is in the object itself and not in the prototype.
|
Assignee | |
Comment 4•16 years ago
|
||
No, we guard just fine on the proto/scope coordinates but then test_property_cache_direct_slot forgot to insist on a direct slot for "get" ops such as name. We cannot handle a prototype property of the global object. I don't think this is a problem for benchmarks or real-world code. This patch makes us abort trace-recording cleanly. /be
Assignee: mrbkap → brendan
Attachment #337540 -
Attachment is obsolete: true
Attachment #338780 -
Flags: review?(gal)
|
|
||
Comment 5•16 years ago
|
||
Comment on attachment 338780 [details] [diff] [review] fix This is what I was suspecting. Pushing.
Attachment #338780 -
Flags: review?(gal) → review+
|
|
||
Comment 6•16 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/165b7a7b2e45
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 7•16 years ago
|
||
Oh, you meant *that* kind of "guard" :-P. Cool, the layering and logic check out now: only TraceRecorder::name calls TraceRecorder::test_property_cache_direct_slot, so all unqualified name refs (simple "get" uses as in this test, or a++, --a, and so on) require direct slots. Thanks for pushing. Are we closing now when changes hit tracemonkey? Probably ok so long as we sync with mozilla-central quickly. /be
|
|
||
Comment 8•16 years ago
|
||
We keep forgetting to close bugs otherwise.
|
||
Comment 9•16 years ago
|
||
I'm not sure I follow the trace-test here. Specifically, why is the function even needed? Just to give the test a name?
|
|
||
Comment 10•16 years ago
|
||
Yeah, basically. Didn't know a better way to test something that happened in the global scope. We could pass in the global object via this though. Not sure that would still trigger the bug?
|
|
||
Comment 11•16 years ago
|
||
Nah, no need to change anything. I was just checking to see whether I was missing something.
|
||
Comment 12•16 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-453249.js,v <-- regress-453249.js initial revision: 1.1 http://hg.mozilla.org/mozilla-central/rev/8a23de31b12a
Flags: in-testsuite+
Flags: in-litmus-
You need to log in
before you can comment on or make changes to this bug.
Description
•