The default bug view has changed. See this FAQ.

Assertion failure: UINT32_MAX - startingIndex >= count, at jsarray.cpp:2711

RESOLVED FIXED in mozilla10

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: decoder, Assigned: Waldo)

Tracking

({assertion, testcase})

Trunk
mozilla10
assertion, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [js-triage-done])

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
It seems that the fix made in bug 668024 has regressed the test at js/src/tests/ecma_3/Array/regress-322135-03.js

Running that test manually on 64 bit (m-c rev 866b2b1793cd) instantly gives me:

Assertion failure: UINT32_MAX - startingIndex >= count, at jsarray.cpp:2711
This is an easy fix, just return false if that condition doesn't hold.

I was attempting to understand both this and the Kraken regression before posting patches/comments on further changes.  I'm happy to just do this one-off first if it matters much, but if no one's too put out I'll probably wait until I figure out the Kraken problem and write a fix for it.
As far as the kraken regression goes, it looks like it's because all the incoming arrays that are being spliced aren't marked as packed.  Perhaps that could be improved.  Or perhaps not.

However, this seems like a reasonable demonstration that my way to address bug 690622 as applied to splice -- that splicing elements didn't update in-progress enumerators -- is too narrowly focused to preserve the fast-case algorithm for sufficiently much code.  I guess I'll hack around this some other way, then.
Created attachment 567953 [details] [diff] [review]
Patch

It turns out we have a type flag for objects being iterated over, which is equally usable as a condition for determining whether optimization is possible.  Win!
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
Attachment #567953 - Flags: review?
Attachment #567953 - Flags: review? → review?(bhackett1024)
And yes, I did kraken this, with these results for the change immediately before bug 668024, the change made by bug 668024, and that change plus this patch:

[jwalden@wheres-wally kraken]$ tail -n 10 /tmp/unmod.txt && tail -n 10 /tmp/mod.txt && tail -n 10 /tmp/mod-fixed.txt ===============================================
RESULTS (means and 95% confidence intervals)
-----------------------------------------------
Total:                        334.9ms +/- 4.2%
-----------------------------------------------

  stanford:                   334.9ms +/- 4.2%
    crypto-sha256-iterative:  334.9ms +/- 4.2%

Results are located at kraken-1.1-results/sunspider-results-2011-10-18-18.51.36.js
===============================================
RESULTS (means and 95% confidence intervals)
-----------------------------------------------
Total:                        434.4ms +/- 6.2%
-----------------------------------------------

  stanford:                   434.4ms +/- 6.2%
    crypto-sha256-iterative:  434.4ms +/- 6.2%

Results are located at kraken-1.1-results/sunspider-results-2011-10-18-18.49.49.js
===============================================
RESULTS (means and 95% confidence intervals)
-----------------------------------------------
Total:                        332.1ms +/- 2.1%
-----------------------------------------------

  stanford:                   332.1ms +/- 2.1%
    crypto-sha256-iterative:  332.1ms +/- 2.1%

Results are located at kraken-1.1-results/sunspider-results-2011-10-18-18.48.37.js
Attachment #567953 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/5b13e63313a8
Whiteboard: js-triage-needed → [js-triage-done]
Target Milestone: --- → mozilla10
Version: Other Branch → Trunk
https://hg.mozilla.org/mozilla-central/rev/5b13e63313a8
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.