Closed Bug 655998 Opened 13 years ago Closed 13 years ago

TI+JM: Assertion failure: !cx->isExceptionPending(), at jscntxtinlines.h:296

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

Details

--
function f(x) {
    var y;
    gc();
    ++x.x;
}
f(1);
f.call(2, 3);
--
$ ./js -n -a -m test.js
Assertion failure: !cx->isExceptionPending(), at jscntxtinlines.h:296

Revision 32e8c937a409, 32-bit OS X.
We have to do this disgusting thing when INCPROP and its variants overflow, as the object's type itself needs to be updated but the overflow came from a Sub/Add stub call.  Before the add/sub we make sure the object is synced and in a particular slot for the Sub/Add to find (which will then snoop the bytecode and see if it needs to update the object).  This slot changed in the interpoline patch and I forgot to update this function.

The interpoline has an even hairier job dealing with these incops, as it has to be able to rejoin from a recompilation triggered by any of the like four different calls that can be made within an INCPROP, INCNAME or INCGNAME.  To handle this mess we make sure the stack is consistent between these different variants to reduce the explosion in possible states, which was the reason for the slot change.  The real fix, of course, is to remove these opcodes entirely.

http://hg.mozilla.org/projects/jaegermonkey/rev/83e786a7e348
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.