User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0b6pre) Gecko/20100912 Firefox/4.0b6pre Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0b6pre) Gecko/20100912 Firefox/4.0b6pre When loading the page with javascript.options.methodjit.content = true. The script on www.moviemeter.nl will become unresponsive. Tested this with methodjit on and off and on a clean profile. The script works fine when methodjit.content is false. Reproducible: Always Steps to Reproduce: 1. Use Nightly build with methodjid.content = true 2. Navigate to http://moviemeter.nl 3. Wait till the browser responds again. Actual Results: Minefield will show an Unresponsive Script warning dialog. Expected Results: Executed the script without problems

Script: http://www.moviemeter.nl/libs/mootools-1.2-core.js?cb=20080614 (Line 51): for(var B=0,A=this.length;B<A;B++){var C=$type(this[B]);if(!C){continue;}D=D.concat((C=="array"||C=="collection"||C=="arguments")?Array.flatten(this[B]):this[B]);

Disabling PICs for JSOP_LENGTH makes the bug go away.

This is basically a typo bug in the PIC for length of args objects. The arguments object PIC was guarding that the object was a slow array. Thus, if the program had |a.length| where a was an arguments object the first time through, then we would get incorrect results on any successive call where a was a slow array. There was actually a second bug there as well: the args object PIC wasn't shifting out the override bit, so if the length was 3, we would end up saying 6 instead. Thanks to everyone that reported a version of this bug: obviously it was affecting at least 4 sites, but I suspect it may have been causing intermittent errors in other places as well.

Comment on attachment 474857 [details] [diff] [review] Patch Two nits: might want to use a slow array with a different expected value that's not a pow2-multiple, and I think our JS follows useArg2 cap style.

(In reply to comment #7) > Comment on attachment 474857 [details] [diff] [review] > Patch > > Two nits: might want to use a slow array with a different expected value that's > not a pow2-multiple, Not sure what you mean: the expected result is 3. >and I think our JS follows useArg2 cap style. Fixed. http://hg.mozilla.org/tracemonkey/rev/614c81c9fda4

(In reply to comment #8) > Not sure what you mean: the expected result is 3. Just meant that you're charging the PIC with a result value that is expected to be 3 for the arguments, maybe you'd want to use a different number of values (like... 5) in the slow array case. No biggie!

Mozilla/5.0 (Windows NT 5.1; rv:2.0b7pre) Gecko/20100917 Firefox/4.0b7pre ID:20100917041014 Sites are working correctly now with methodjit enabled! VERIFIED