function x() { yield x } new(x) ParallelArray([7247], function() { --x eval("") }) asserts js debug threadsafe shell on m-c changeset 1179318fb5aa without any CLI arguments at Assertion failure: !isFloat(), at jit/RegisterSets.h My configure flags are: LD=ld CROSS_COMPILE=1 CXX="clang++ -Qunused-arguments -arch i386" RANLIB=ranlib CC="clang -Qunused-arguments -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments" HOST_CXX="clang++ -Qunused-arguments" sh ./configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-threadsafe --with-ccache <some NSPR compile flags, or use --with-system-nspr> autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/c1ccfd8f31bf user: Eric Faust date: Fri Aug 30 18:50:36 2013 -0700 summary: Bug 824393 - Part 0: Open SetPropertyIC to cases with uncertain TI. (r=bhackett) (s-s because the stack has a weird memory address (jit code?) on the stack, 0x015d38ec) Eric, is bug 824393 probably related?

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 7ff96bd19c1c).

autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/abb25a18b5a5 user: Brian Hackett date: Mon Sep 02 10:05:27 2013 -0700 summary: Bug 906788 - Construct TypeObject newScript information using MIR, r=jandem. Eric, you mentioned this bug may not actually be fixed yet. Is bug 906788 likely part of the equation?

Ok, this seems to fix the problem. Gary, I'm not sure exactly how Brian's work influences how TI is kept, but it's very likely to have just steered us away from this case. At any rate, this patch ensures that we no longer try to guardTypeSet with a TypedOrValueRegister known to be a float, as we can check that statically against the typeset before generation. Brian, is this change consistent in correctness with the changes in the bug above? It seems better than what we had. If not, at least the fact that I misapplied a nit previously (the TypeObject guard was too restrictively generated), should be fixed.

Marking high because it is JIT badness...

JSBugMon: This bug has been automatically verified fixed.