Closed
Bug 455408
Opened 16 years ago
Closed 16 years ago
TM: Assertion failed: "Should not move data from GPR to XMM" with __proto__
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.9.1b1
People
(Reporter: jruderman, Assigned: brendan)
Details
(Keywords: assertion, testcase)
Attachments
(1 file, 2 obsolete files)
|
3.22 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
$ ~/tracemonkey/js/src/Darwin_DBG.OBJ/js -j
js> for (var j = 0; j < 5; ++j) { if (({}).__proto__ = 1) { } }
Assertion failed: "Should not move data from GPR to XMM": false (nanojit/Nativei386.cpp:1192)
|
||
Updated•16 years ago
|
Summary: Assertion failed: "Should not move data from GPR to XMM" with __proto__ → TM: Assertion failed: "Should not move data from GPR to XMM" with __proto__
|
Assignee | |
Comment 1•16 years ago
|
||
Not sure why this was crashing in nanojit last night, but it works as expected now. /me whistles in the dark... /be
|
|
Assignee | |
Updated•16 years ago
|
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1b1
|
||
Updated•16 years ago
|
Attachment #338834 -
Flags: review?(danderson) → review+
|
|
||
Comment 2•16 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/66a76c8c7346
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
||
Comment 3•16 years ago
|
||
Backed out, breaks access-nbody. Tracker gets modified pre-snapshot in miss/hit. http://hg.mozilla.org/tracemonkey/rev/a775aa0a8e76
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Updated•16 years ago
|
Status: REOPENED → ASSIGNED
|
|
Assignee | |
Comment 4•16 years ago
|
||
The FullTest hit case was not traced, and also allowed for PCVAL_IS_SLOT even though js_FillPropertyCache will never fill that kind of cache entry value for a JOF_SET opcode -- it will only ever fill such that PCVAL_IS_SPROP. The main fix is to abort in the uncacheable property set case. /be
Attachment #338834 -
Attachment is obsolete: true
Attachment #338854 -
Flags: review?(gal)
|
|
||
Updated•16 years ago
|
Attachment #338854 -
Flags: review?(gal) → review+
|
|
Assignee | |
Comment 5•16 years ago
|
||
Previous patch could fail to call any record_JSOP_SETPROP helper yet not abort. Also could call record_SetPropHit twice for cases that do not hit the first-level (pc/shape-indexed) property cache. Andreas, you mentioned insignificant perf hit -- could you re-test this and say more if it seems to regress perf at all? Thanks, /be
Attachment #338854 -
Attachment is obsolete: true
Attachment #338864 -
Flags: review?(gal)
|
|
||
Comment 6•16 years ago
|
||
Comment on attachment 338864 [details] [diff] [review] best fix + based on testing. SETPROP is above my pay grade. No perf hit.
Attachment #338864 -
Flags: review?(gal) → review+
|
|
||
Comment 7•16 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/6db3e2a6435b
Status: ASSIGNED → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → FIXED
|
|
||
Comment 8•16 years ago
|
||
Test case: http://hg.mozilla.org/tracemonkey/rev/4b7055be0063
|
||
Comment 9•16 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-455408.js,v <-- regress-455408.js initial revision: 1.1 http://hg.mozilla.org/mozilla-central/rev/8cdae57fff2a
Flags: in-testsuite+
Flags: in-litmus-
You need to log in
before you can comment on or make changes to this bug.
Description
•