Closed Bug 652314 Opened 13 years ago Closed 13 years ago

TI: Crash [@ js::types::TypeSet::add] or "Assertion failure: v.kind() != SSAValue::EMPTY && pv->value.kind() != SSAValue::EMPTY,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords)

Crash Data

(function() {
    for (a in [0]) {
        try {
            return
        } catch(e) {}
    }
})()

crashes js opt shell on JM changeset 90a7b141e0cf with -m, -a and -n at js::types::TypeSet::add and asserts js debug shell at Assertion failure: v.kind() != SSAValue::EMPTY && pv->value.kind() != SSAValue::EMPTY,

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   68276:90a7b141e0cf
tag:         tip
user:        Brian Hackett
date:        Fri Apr 22 07:59:45 2011 -0700
summary:     [INFER] Bytecode SSA analysis, bug 650715.
Another assertion message floating around is:

Assertion failure: v.kind() != SSAValue::EMPTY

but I'm assuming they're related.
Weird situation in scripts with switch or try blocks, 'for in' iterators and return statements within those iterators.  The SSA analysis doesn't track control flow for scripts with switch and try blocks (oversight which should be fixed), and assumes the stack is balanced within these opcodes, a property which does not hold if ENDITERs are introduced to handle return statements that close any iterators active outside the try/switch block.

http://hg.mozilla.org/projects/jaegermonkey/rev/460da05aa26f
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::types::TypeSet::add]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug652314.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.