Closed Bug 585408 Opened 14 years ago Closed 14 years ago

JM: "Assertion failure: !fe->type.isConstant(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: dvander)

References

Details

(Keywords: assertion, regression, testcase) 

(function() {
  function a() {}
  a.e = a++
})()

asserts js debug shell on JM changeset 787e35063545 with -m at Assertion failure: !fe->type.isConstant(), at ../methodjit/FrameState-inl.h:393
jsop_localinc() calls frame.forgetType(frame.peek(-1)), but that frame is a copy of a FrameEntry where the type is known.

jsop_setprop() then checks whether the type is known, sees that it isn't, calls tempRegForType(). That function works with fe->copyOf(), so it asserts that the value is constant.
Hrm. There shouldn't be a copy here in the first place. Investigating
Assignee: general → dvander
Status: NEW → ASSIGNED
Oh, fine. For LOCALINC with an observed value, and also cases where the type is known to be not int32, just break the op down into more primitive operations. No point in being super clever.

http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/92c4c89c5ba8
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug585408-3.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.