Last Comment Bug 655998 - TI+JM: Assertion failure: !cx->isExceptionPending(), at jscntxtinlines.h:296
: TI+JM: Assertion failure: !cx->isExceptionPending(), at jscntxtinlines.h:296
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: general
:
Mentors:
: 655963 656132 (view as bug list)
Depends on:
Blocks: infer-regress
  Show dependency treegraph
 
Reported: 2011-05-10 06:02 PDT by Jan de Mooij [:jandem]
Modified: 2011-05-11 07:21 PDT (History)
3 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Jan de Mooij [:jandem] 2011-05-10 06:02:23 PDT
--
function f(x) {
    var y;
    gc();
    ++x.x;
}
f(1);
f.call(2, 3);
--
$ ./js -n -a -m test.js
Assertion failure: !cx->isExceptionPending(), at jscntxtinlines.h:296

Revision 32e8c937a409, 32-bit OS X.
Comment 1 Brian Hackett (:bhackett) 2011-05-10 08:00:55 PDT
We have to do this disgusting thing when INCPROP and its variants overflow, as the object's type itself needs to be updated but the overflow came from a Sub/Add stub call.  Before the add/sub we make sure the object is synced and in a particular slot for the Sub/Add to find (which will then snoop the bytecode and see if it needs to update the object).  This slot changed in the interpoline patch and I forgot to update this function.

The interpoline has an even hairier job dealing with these incops, as it has to be able to rejoin from a recompilation triggered by any of the like four different calls that can be made within an INCPROP, INCNAME or INCGNAME.  To handle this mess we make sure the stack is consistent between these different variants to reduce the explosion in possible states, which was the reason for the slot change.  The real fix, of course, is to remove these opcodes entirely.

http://hg.mozilla.org/projects/jaegermonkey/rev/83e786a7e348
Comment 2 Brian Hackett (:bhackett) 2011-05-10 10:13:57 PDT
*** Bug 655963 has been marked as a duplicate of this bug. ***
Comment 3 Brian Hackett (:bhackett) 2011-05-11 07:21:22 PDT
*** Bug 656132 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.