Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 717251 - Assertion failure: js_CodeSpec[*(regs.pc)].format & ((1U<<5) | (2U<<5)), at js/src/jsinterp.cpp:1275
: Assertion failure: js_CodeSpec[*(regs.pc)].format & ((1U<<5) | (2U<<5)), at j...
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla12
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz 712714
  Show dependency treegraph
Reported: 2012-01-11 08:36 PST by Christian Holler (:decoder)
Modified: 2013-01-19 14:31 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (4.71 KB, patch)
2012-01-11 17:41 PST, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-01-11 08:36:53 PST
The following test asserts on mozilla-central revision 4de07a341aab (options -m -n -a):

this.__proto__ = []; 
var msPerDay =   86400000;
for ( var time = 0, year = 1969; year >= 0; year-- ) {
  time -= TimeInYear(year);
function DaysInYear( y ) {}
function TimeInYear( y ) {
  return ( DaysInYear(y) * msPerDay );

Could be related to bug
Comment 1 Christian Holler (:decoder) 2012-01-11 08:37:47 PST
That's supposed to say bug 717249 in the end.
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2012-01-11 15:38:48 PST
I reproduced this too, on m-c changeset 7c7d2a8db7ff but only when passed in as a CLI argument.
Comment 3 Gary Kwong [:gkw] [:nth10sd] 2012-01-11 15:51:30 PST
This has not been fixed on m-c changeset 7c7d2a8db7ff (which has bug 716713 included)

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   84036:7ab4f1ebc7cc
user:        Brian Hackett
date:        Mon Jan 09 06:29:50 2012 -0800
summary:     Backout 54cd89b0f1fa (bug 712714 backout).  Talos will probably report fake regressions for this patch, do not back out for this reason.
Comment 4 Brian Hackett (:bhackett) 2012-01-11 17:41:07 PST
Created attachment 587894 [details] [diff] [review]

Various problems with AssertValidPropertyCacheHit.  Before bug 712714, I don't think this function was ever being called on cache hits under method JIT stub calls, and now that it is there are a bunch of test failures because of problems in this code.

These test failures weren't showing up on tinderbox because the property cache is disabled in threadsafe builds.  There isn't any technical reason anymore why the property cache should be disabled in such builds, and I tried doing this for bug 712714 but ran into problems because the assertions are broken when dealing with certain DOM objects (there is a cache hit on the prototype, and when confirming the hit a resolve hook on the object itself executes which installs the searched-for property).
Comment 5 Brian Hackett (:bhackett) 2012-01-12 08:41:52 PST
Comment 6 Marco Bonardo [::mak] 2012-01-13 01:08:20 PST
Comment 7 Christian Holler (:decoder) 2013-01-19 14:31:45 PST
Automatically extracted testcase for this bug was committed:

Note You need to log in before you can comment on or make changes to this bug.