Closed Bug 578897 Opened 10 years ago Closed 10 years ago

JM: InstanceOf failing to PIC trips assert

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: sstangl, Assigned: dmandelin)

References

Details

Attachments

(2 files, 2 obsolete files)

Attached file Backtrace. (obsolete) —
The patch from bug 578896 enables compiling with --disable-polyic.

With PICs disabled, basic/testNegativeArrayLength.js trips an assert within stubs::GetProp(), which trips itself looking through the property cache. Note that this can still occur if PICs are enabled, if the PIC fails.

In the attached backtrace, op == JSOP_INSTANCEOF, and js_CodeSpec[op].length == 1.
Attached patch Rebase previous patch onto tip. (obsolete) — Splinter Review
Rebased previous patch onto moo tip. With patch applied and PICs disabled, there are 37 trace-test failures. These failures can be deterministically reproduced without disabling PICs, but this patch should ease debugging.
Attachment #457489 - Attachment is obsolete: true
Attachment #457493 - Flags: review?(dvander)
Attached file Backtrace.
Erm. Wrong bug for previous comment! Reverting, reverting.
Attachment #457493 - Attachment is obsolete: true
Attachment #457493 - Flags: review?(dvander)
Blocks: JaegerPIC
Assignee: general → dmandelin
Attached patch PatchSplinter Review
This seems to be the smallest edit distance fix.
Attachment #458466 - Flags: review?(dvander)
Attachment #458466 - Flags: review?(dvander) → review+
http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/ab5640d09f67
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.