function h(i, i) { i = ([Infinity([])])(1 ? l : arguments) } for (var j = 0; j < 2; ++j) { try { h(-Number, -Number) } catch (e) {} } asserts js debug shell on m-c changeset 30f3710477c2 with --ion-parallel-compile=off --ion-eager at Assertion failure: !type->canonicalSpill() || type->canonicalSpill() == typeAlloc, at jit/LinearScan.cpp My configure flags are: AR=ar sh ./configure --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-threadsafe <other NSPR options>

autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/9aba403595d5 user: Jan de Mooij date: Thu Jan 09 12:10:14 2014 +0100 summary: Bug 955850 - Fix regalloc safepoint issue. r=djvj Jan, is bug 955850 a likely regressor?

I have a 32-bit Mac testcase which I'll carry on reducing tomorrow.

Bogus asserts. I thought it was important/necessary for these conditions to hold, but it isn't of course: as long as the payload is in an argument slot (and hence is marked), it doesn't matter where the type tag is (register, stack slot etc) because GC only cares about the payload.

function f() { function f(i0, i1) { i0 = i0 | 0; i = i1 | 0; switch (1) { case -3: switch (f) {} } { return 0 }(arguments) } return f }; for (var j = 0; j < 999; ++j) { (function(x) { f()(f()(x, f()())) })() } This is a testcase that asserts on 32-bit Mac. Jan, do you think you can land these testcases (comment 0 and this) as well, when you land the patch for landing?

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4) > Jan, do you think you can land these testcases (comment 0 and this) as well, > when you land the patch for landing? Sure :)

Pushed directly to b2g-inbound as requested by gwagner, to unbreak b2g emulator debug builds. https://hg.mozilla.org/integration/b2g-inbound/rev/058c053e2f07 Setting needinfo to add the tests; I didn't want to block this trivial patch on that.

JSBugMon: This bug has been automatically verified fixed.

It took a while, but just added the tests: https://hg.mozilla.org/integration/mozilla-inbound/rev/3eeb45f8ec21

1.3T? to discuss https://bugzilla.mozilla.org/show_bug.cgi?id=993317#c6

(In reply to Joe Cheng [:jcheng] from comment #12) > 1.3T? to discuss https://bugzilla.mozilla.org/show_bug.cgi?id=993317#c6 :jcheng lets not block on this unless their is a known user impact

triage; let's not block tarako reelase with this. if we have a safe solution ,let's evaluate if we can uplift to 1.3T thanks