Last Comment Bug 717249 - Assertion failure: !uses->next->next && uses->next->popped && script->code[uses->next->offset] == JSOP_SWAP, at ../jsanalyze.h:1064
: Assertion failure: !uses->next->next && uses->next->popped && script->code[us...
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
-- critical (vote)
: mozilla13
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
: 722592 (view as bug list)
Depends on:
Blocks: langfuzz 712714
  Show dependency treegraph
Reported: 2012-01-11 08:36 PST by Christian Holler (:decoder)
Modified: 2013-01-19 14:00 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

rm fugliness (11.11 KB, patch)
2012-01-11 18:16 PST, Brian Hackett (:bhackett)
jwalden+bmo: review+
Details | Diff | Splinter Review
weaken assert (1.03 KB, patch)
2012-02-16 16:26 PST, Brian Hackett (:bhackett)
jwalden+bmo: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-01-11 08:36:20 PST
The following test asserts on mozilla-central revision 4de07a341aab (options -m -n -a):

Comment 1 User image Jeff Walden [:Waldo] (remove +bmo to email) 2012-01-11 10:18:51 PST
If I had to guess, I'm betting this has to do with the JSOP_QNAMEPART fugliness for property accesses for __proto__.  h8
Comment 2 User image Gary Kwong [:gkw] [:nth10sd] 2012-01-11 15:50:41 PST
This has not been fixed on m-c changeset 7c7d2a8db7ff (which has bug 716713 included)

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   84036:7ab4f1ebc7cc
user:        Brian Hackett
date:        Mon Jan 09 06:29:50 2012 -0800
summary:     Backout 54cd89b0f1fa (bug 712714 backout).  Talos will probably report fake regressions for this patch, do not back out for this reason.
Comment 3 User image Brian Hackett (:bhackett) 2012-01-11 18:16:28 PST
Created attachment 587907 [details] [diff] [review]
rm fugliness

Yeah, it's the __proto__ special casing.  This bug removes that stuff entirely.  It seems only necessary so that the interpreter does not have to check for __proto__ when doing GetProtoIfDenseArray.  Interpreter optimizations are no longer necessary/justifiable, and while PICs should still be able to do this stuff they can test for __proto__ before generating code.
Comment 4 User image Brian Hackett (:bhackett) 2012-01-11 18:21:29 PST
(In reply to Brian Hackett (:bhackett) from comment #3)
> Interpreter optimizations are no longer necessary/justifiable

Overstated this a bit.  Having significant complexity to occasionally save a few cycles while interpreting is not good.
Comment 5 User image Jeff Walden [:Waldo] (remove +bmo to email) 2012-01-18 14:14:27 PST
Comment on attachment 587907 [details] [diff] [review]
rm fugliness

Review of attachment 587907 [details] [diff] [review]:

And there was much rejoicing.
Comment 6 User image Brian Hackett (:bhackett) 2012-01-20 07:15:53 PST
Comment 7 User image Brian Hackett (:bhackett) 2012-01-20 07:35:09 PST
Backed out for not building on any platforms except the ones I tested on.
Comment 8 User image David Mandelin [:dmandelin] 2012-02-06 16:49:08 PST
*** Bug 722592 has been marked as a duplicate of this bug. ***
Comment 9 User image Brian Hackett (:bhackett) 2012-02-16 16:26:09 PST
Created attachment 598057 [details] [diff] [review]
weaken assert

Unfortunately the QNAMEPART stuff is also necessary for correct behavior of __proto__ on primitives (which should get e.g. Number.prototype instead of Object.prototype) and there doesn't seem to be an easy/efficient way to fix this.  So here's a patch which weakens the assert so that the goofy SWAP; SWAP sequence of bytecodes emitted here is passed through.
Comment 10 User image Brian Hackett (:bhackett) 2012-02-23 18:11:23 PST
Comment 11 User image Marco Bonardo [::mak] 2012-02-24 02:44:43 PST
Comment 12 User image Christian Holler (:decoder) 2013-01-19 14:00:54 PST
Automatically extracted testcase for this bug was committed:

Note You need to log in before you can comment on or make changes to this bug.