Closed
Bug 506312
Opened 15 years ago
Closed 15 years ago
"Assertion failure: slot == scope->freeslot, at ../jsinterp.cpp"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
People
(Reporter: gkw, Assigned: brendan)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
2.55 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
function f1() {
var f = gc
try {
f2()
} catch(e) {}
gc()
}
function f2() {
[]({
t: 0
})
}
f1()
try {
f
} catch(e) {
+ e
}
f2()
asserts dbg js shell from TM branch without -j at Assertion failure: slot == scope->freeslot, at ../jsinterp.cpp:6479
autoBisect shows this is probably related to bug 488731 :
The first bad revision is:
changeset: 30616:047b9102dddb
user: Brendan Eich <brendan@mozilla.org>
date: Thu Jul 23 17:59:49 2009 -0700
summary: Avoid shape regeneration and property cache purging from the GC unless the shape generator overflows (488731, r=jorendorff).
Flags: blocking1.9.2?
|
Assignee | |
Comment 1•15 years ago
|
||
|
||
Updated•15 years ago
|
Attachment #390516 -
Flags: review?(jorendorff) → review+
|
|
||
Comment 2•15 years ago
|
||
Comment on attachment 390516 [details] [diff] [review]
fix bad bug in patch for bug 488731
ok -- but I think the fact that we don't trace the property cache -- or better, purge property cache entries that refer to dead sprops and objects -- is a different (probably easier) bug than bug 506341.
|
|
||
Comment 3•15 years ago
|
||
(In reply to comment #2)
> (From update of attachment 390516 [details] [diff] [review])
> ok -- but I think the fact that we don't trace the property cache -- or better,
> purge property cache entries that refer to dead sprops and objects -- is a
> different (probably easier) bug than bug 506341.
Hmmm, it appears that is *exactly* what bug 506341 is about. Never mind me!
|
|
Assignee | |
Comment 4•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/621b8a3eab32
Hope this clears all the orange -- I think it will.
/be
Whiteboard: fixed-in-tracemonkey
|
||
Comment 5•15 years ago
|
||
it did
|
|
||
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
|
|
||
Comment 6•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
Reporter | |
Updated•15 years ago
|
Flags: in-testsuite?
|
||
Comment 7•15 years ago
|
||
Mass change: adding fixed1.9.2 keyword
(This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2
|
||
Updated•15 years ago
|
status1.9.2:
--- → beta1-fixed
Keywords: fixed1.9.2
|
||
Comment 8•12 years ago
|
||
Filter on qa-project-auto-change:
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite? → in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•