Closed Bug 717251 Opened 13 years ago Closed 13 years ago

Assertion failure: js_CodeSpec[*(regs.pc)].format & ((1U<<5) | (2U<<5)), at js/src/jsinterp.cpp:1275

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla12

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: js-triage-needed)

Attachments

(1 file)

patch
4.71 KB, patch
dvander
: review+
Details | Diff | Splinter Review
The following test asserts on mozilla-central revision 4de07a341aab (options -m -n -a): this.__proto__ = []; var msPerDay = 86400000; for ( var time = 0, year = 1969; year >= 0; year-- ) { time -= TimeInYear(year); } function DaysInYear( y ) {} function TimeInYear( y ) { return ( DaysInYear(y) * msPerDay ); } Could be related to bug
That's supposed to say bug 717249 in the end.
I reproduced this too, on m-c changeset 7c7d2a8db7ff but only when passed in as a CLI argument.
This has not been fixed on m-c changeset 7c7d2a8db7ff (which has bug 716713 included) autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 84036:7ab4f1ebc7cc user: Brian Hackett date: Mon Jan 09 06:29:50 2012 -0800 summary: Backout 54cd89b0f1fa (bug 712714 backout). Talos will probably report fake regressions for this patch, do not back out for this reason.
Blocks: 712714
Keywords: regression
OS: Linux → All
Hardware: x86_64 → All
Attached patch patchSplinter Review
Various problems with AssertValidPropertyCacheHit. Before bug 712714, I don't think this function was ever being called on cache hits under method JIT stub calls, and now that it is there are a bunch of test failures because of problems in this code. These test failures weren't showing up on tinderbox because the property cache is disabled in threadsafe builds. There isn't any technical reason anymore why the property cache should be disabled in such builds, and I tried doing this for bug 712714 but ran into problems because the assertions are broken when dealing with certain DOM objects (there is a cache hit on the prototype, and when confirming the hit a resolve hook on the object itself executes which installs the searched-for property).
Assignee: general → bhackett1024
Attachment #587894 - Flags: review?(dvander)
Attachment #587894 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/d7abb1f2efc8
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: