The default bug view has changed. See this FAQ.

TI+JM: Assertion failure: !cx->isExceptionPending(), at jscntxtinlines.h:296

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: jandem, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
--
function f(x) {
    var y;
    gc();
    ++x.x;
}
f(1);
f.call(2, 3);
--
$ ./js -n -a -m test.js
Assertion failure: !cx->isExceptionPending(), at jscntxtinlines.h:296

Revision 32e8c937a409, 32-bit OS X.
We have to do this disgusting thing when INCPROP and its variants overflow, as the object's type itself needs to be updated but the overflow came from a Sub/Add stub call.  Before the add/sub we make sure the object is synced and in a particular slot for the Sub/Add to find (which will then snoop the bytecode and see if it needs to update the object).  This slot changed in the interpoline patch and I forgot to update this function.

The interpoline has an even hairier job dealing with these incops, as it has to be able to rejoin from a recompilation triggered by any of the like four different calls that can be made within an INCPROP, INCNAME or INCGNAME.  To handle this mess we make sure the stack is consistent between these different variants to reduce the explosion in possible states, which was the reason for the slot change.  The real fix, of course, is to remove these opcodes entirely.

http://hg.mozilla.org/projects/jaegermonkey/rev/83e786a7e348
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Duplicate of this bug: 655963
Duplicate of this bug: 656132
You need to log in before you can comment on or make changes to this bug.