475593 - TM: Assertion failed: "Should not move data from GPR/XMM to x87 FPU": false (../nanojit/Nativei386.cpp:1851) (js_BooleanOrUndefinedToNumber emitted twice)

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P1)

Comment 1

[Jason Orendorff [:jorendorff]]

Attachment: v1

Comment 2

[Brendan Eich [:brendan]]

Comment on attachment 359119 [details] [diff] [review]
v1

Ay caramba!

/be

Comment 3

[Brendan Eich [:brendan]]

Was this covered by a trace-test.js test? I didn't see any failures...

/be

Comment 4

[Jason Orendorff [:jorendorff]]

Yes, testLoopWithUndefined2 triggered this for me.  The even-further-reduced test case is:

  a = true;
  for (i = 0; i < 6; i++)
      a = (8 == void 0);

But the bug either hits or sneaks by depending on the alignment of the field JSRuntime::jsNaN.  If it's aligned to 0, then DOUBLE_TO_JSVAL(&cx->runtime->jsNaN) is a bad DOUBLE jsval, and you get a potential (but very hard to trigger) correctness error.  If it's aligned to 4, then it's a bad BOOLEAN jsval, and you get this bug.

http://hg.mozilla.org/tracemonkey/rev/5d11bbac8fbe

Comment 5

[Brendan Eich [:brendan]]

http://hg.mozilla.org/mozilla-central/rev/5d11bbac8fbe too, on to 1.9.1.

/be

Comment 6

[Bob Clary [:bc] (inactive)]

I've seen this occasionally but couldn't reproduce it reliably until today. Bisection points to an apparently unrelated patch http://hg.mozilla.org/tracemonkey/rev/799649d4e416 by Andrei. Andrei or Igor, would bug 474801 make the conditions Jason described in comment 4 more probable?

v 1.9.1 tracemonkey and by inference 1.9.2

Comment 7

[Robert Sayre]

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/8f9b70a39fdc

Comment 8

[Bob Clary [:bc] (inactive)]

covered by test added in Bug 456479 already in js/src/trace-test.js and js/js1_8_1/trace/trace-test.js

Comment 9

[Bob Clary [:bc] (inactive)]

v 1.9.1, 1.9.2