474935 - TM: "Assertion failure: !ti->typeMap.matches(ti_other->typeMap)" with global, large array

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jesse Ruderman]

var a = ["", 0, 0, 0, 0, 0, "", "", 0, "", 0, ""];
var i = 0;
var g = 0;
for each (let e in a) {
    "" + [e];
    if (i == 3 || i == 7) {
        for each (g in [1]) {
        }
    }
    ++i;
}

Assertion failure: !ti->typeMap.matches(ti_other->typeMap), at ../jstracer.cpp:3110

Comment 1

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: proposed fix

This bug occurred because a piece of the joinEdgesToEntry logic (which is somewhat duplicated in js_AttemptToStabilizeTree) was missing.  If an unstable exit has an integer in its typemap while a peer has a double, and that slot is undemotable, the original tree should be trashed and js_RecordTree should not be called.

This faults in a standalone file but I can't seem to replicate the conditions in trace-tests.

Comment 2

[Andreas Gal :gal]

Comment on attachment 358526 [details] [diff] [review]
proposed fix

Did you test perf? I hope SS doesn't hit this case.

Comment 3

[David Anderson [:dvander] - inactive, e-mail if emergency]

No perf change, so pushed as changeset: http://hg.mozilla.org/tracemonkey/rev/e6c5ad00591d

Comment 4

[Bob Clary [:bc] (inactive)]

http://hg.mozilla.org/mozilla-central/rev/d52de3f35735
/cvsroot/mozilla/js/tests/js1_8/regress/regress-474935.js,v  <--  regress-474935.js
initial revision: 1.1

Comment 5

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/e6c5ad00591d

Comment 6

[Robert Sayre]

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/f6157412e3ed

Comment 7

[Bob Clary [:bc] (inactive)]

v 1.9.1, 1.9.2