Closed Bug 694210 Opened 13 years ago Closed 13 years ago

Assertion failure: UINT32_MAX - startingIndex >= count, at jsarray.cpp:2711

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla10

People

(Reporter: decoder, Assigned: Waldo)

References

Details

(Keywords: assertion, testcase, Whiteboard: [js-triage-done])

Attachments

(1 file)

Patch
2.74 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
It seems that the fix made in bug 668024 has regressed the test at js/src/tests/ecma_3/Array/regress-322135-03.js

Running that test manually on 64 bit (m-c rev 866b2b1793cd) instantly gives me:

Assertion failure: UINT32_MAX - startingIndex >= count, at jsarray.cpp:2711
This is an easy fix, just return false if that condition doesn't hold.

I was attempting to understand both this and the Kraken regression before posting patches/comments on further changes.  I'm happy to just do this one-off first if it matters much, but if no one's too put out I'll probably wait until I figure out the Kraken problem and write a fix for it.
As far as the kraken regression goes, it looks like it's because all the incoming arrays that are being spliced aren't marked as packed.  Perhaps that could be improved.  Or perhaps not.

However, this seems like a reasonable demonstration that my way to address bug 690622 as applied to splice -- that splicing elements didn't update in-progress enumerators -- is too narrowly focused to preserve the fast-case algorithm for sufficiently much code.  I guess I'll hack around this some other way, then.
Attached patch PatchSplinter Review 
It turns out we have a type flag for objects being iterated over, which is equally usable as a condition for determining whether optimization is possible.  Win!
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
Attachment #567953 - Flags: review?
Attachment #567953 - Flags: review? → review?(bhackett1024)
And yes, I did kraken this, with these results for the change immediately before bug 668024, the change made by bug 668024, and that change plus this patch:

[jwalden@wheres-wally kraken]$ tail -n 10 /tmp/unmod.txt && tail -n 10 /tmp/mod.txt && tail -n 10 /tmp/mod-fixed.txt ===============================================
RESULTS (means and 95% confidence intervals)
-----------------------------------------------
Total:                        334.9ms +/- 4.2%
-----------------------------------------------

  stanford:                   334.9ms +/- 4.2%
    crypto-sha256-iterative:  334.9ms +/- 4.2%

Results are located at kraken-1.1-results/sunspider-results-2011-10-18-18.51.36.js
===============================================
RESULTS (means and 95% confidence intervals)
-----------------------------------------------
Total:                        434.4ms +/- 6.2%
-----------------------------------------------

  stanford:                   434.4ms +/- 6.2%
    crypto-sha256-iterative:  434.4ms +/- 6.2%

Results are located at kraken-1.1-results/sunspider-results-2011-10-18-18.49.49.js
===============================================
RESULTS (means and 95% confidence intervals)
-----------------------------------------------
Total:                        332.1ms +/- 2.1%
-----------------------------------------------

  stanford:                   332.1ms +/- 2.1%
    crypto-sha256-iterative:  332.1ms +/- 2.1%

Results are located at kraken-1.1-results/sunspider-results-2011-10-18-18.48.37.js
Attachment #567953 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/5b13e63313a8
Whiteboard: js-triage-needed → [js-triage-done]
Target Milestone: --- → mozilla10
Version: Other Branch → Trunk
https://hg.mozilla.org/mozilla-central/rev/5b13e63313a8
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: