Closed Bug 688478 Opened 13 years ago Closed 13 years ago

[regression] mozilla addon builder broken due to platform regression

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla9
Tracking Flags:
Tracking Status
firefox9 + ---

People

(Reporter: public, Assigned: bhackett1024)

References

Details

Attachments

(1 file)

patch
4.13 KB, patch
dvander
: review+
Details | Diff | Splinter Review
the addon builder is broken in nightlies for a few days now, see https://builder.addons.mozilla.org/addon/1014660/latest/ for example. With KWierso, we've identified the changeset to be http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ea2f892d9439&tochange=648d084ca28e Here's a screenshot of the problem as it appears on Ubuntu Linux: http://i.imgur.com/FEJMn.png
Does turning off type inference fix things?
Blocks: infer-regress
tracking-firefox9: --- → ?
OS: Linux → All
Hardware: x86 → All
(In reply to Boris Zbarsky (:bz) from comment #1) > Does turning off type inference fix things? Yes, setting javascript.options.typeinference to false and then restarting Firefox lets Builder correctly load the code editor.
Attached patch patchSplinter Review
Regression from bug 557358. When setting up a CALLPROP IC which can invoke a getter, the state was synced in the wrong place --- before the shape check, but after the type check. CALLPROP ICs can relink the type check to a stub when handling strings, and on a String.prototype shape mismatch that stub will patch to the slow path used by the shape check. The latter assumes the state is synced, but that may not hold when the input is a string, and the stub reads a stale value off the stack (causing typeOf() in the mootools library to take the wrong path and fail to initialize a class correctly). The fix does the syncing before both checks, as well as for a similar case in GETPROP (not sure if the same issue happens there).
Attachment #562121 - Flags: review?(dvander)
Attachment #562121 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/7fa8649917d1
Assignee: general → bhackett1024
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla9
Verified fixed on today's Nightly build. Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110926 Firefox/9.0a1
Status: RESOLVED → VERIFIED
Looks like by date this was fixed in time for Fx9. Please email release-drivers@mozilla.org if that is not the case.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: