Closed Bug 506312 Opened 15 years ago Closed 15 years ago

"Assertion failure: slot == scope->freeslot, at ../jsinterp.cpp"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed

People

(Reporter: gkw, Assigned: brendan)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

fix bad bug in patch for bug 488731
2.55 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review 
function f1() {
    var f = gc
    try {
        f2()
    } catch(e) {}
    gc()
}
function f2() { 
    []({
        t: 0
    })
}
f1()
try {
    f
} catch(e) {
    + e
}
f2()

asserts dbg js shell from TM branch without -j at Assertion failure: slot == scope->freeslot, at ../jsinterp.cpp:6479

autoBisect shows this is probably related to bug 488731 :

The first bad revision is:
changeset:   30616:047b9102dddb
user:        Brendan Eich <brendan@mozilla.org>
date:        Thu Jul 23 17:59:49 2009 -0700
summary:     Avoid shape regeneration and property cache purging from the GC unless the shape generator overflows (488731, r=jorendorff).
Flags: blocking1.9.2?
Assignee: general → brendan
Status: NEW → ASSIGNED

        Attachment #390516 -
        Flags: review?(jorendorff)

        Attachment #390516 -
        Flags: review?(jorendorff) → review+

    
    

    
  
Comment on attachment 390516 [details] [diff] [review]
fix bad bug in patch for bug 488731

ok -- but I think the fact that we don't trace the property cache -- or better, purge property cache entries that refer to dead sprops and objects -- is a different (probably easier) bug than bug 506341.

    
    

    
  
(In reply to comment #2)
> (From update of attachment 390516 [details] [diff] [review])
> ok -- but I think the fact that we don't trace the property cache -- or better,
> purge property cache entries that refer to dead sprops and objects -- is a
> different (probably easier) bug than bug 506341.

Hmmm, it appears that is *exactly* what bug 506341 is about. Never mind me!

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/621b8a3eab32

Hope this clears all the orange -- I think it will.

/be
Whiteboard: fixed-in-tracemonkey

    
    

    
  
it did

    
  
Flags: blocking1.9.2? → blocking1.9.2+

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/621b8a3eab32
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Flags: in-testsuite?

    
    

    
  
Mass change: adding fixed1.9.2 keyword

(This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2

    
    

    
  
Filter on qa-project-auto-change:

Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite? → in-testsuite-

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: