Closed Bug 617549 Opened 14 years ago Closed 14 years ago

TypeInference: Assertion failure: fe->getKnownType() == original->getKnownType()

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Assigned: bhackett1024)

References

Details

(Whiteboard: fixed-in-jaegermonkey)

Attachments

(1 file)

fix
1.47 KB, patch
Details | Diff | Splinter Review 
---
function f() {
    var a, b, c;
    a = -c;
    b = c & 2;
    a = b;
    a = 123 * a;
}
f();
---
Assertion failure: fe->getKnownType() == original->getKnownType(), at ../methodjit/FrameState.cpp:1883

Stack trace suggests it's doing a recompile caused by stubs::Neg?
---
#0  0x001ca223 in JS_Assert (s=0x34cfd0 "fe->getKnownType() == original->getKnownType()", file=0x34c777 "../methodjit/FrameState.cpp", ln=1883) at ../jsutil.cpp:80
#1  0x002a911f in js::mjit::FrameState::uncopy (this=0xbfffbb54, original=0x8868a8) at ../methodjit/FrameState.cpp:1883
#2  0x002a92f1 in js::mjit::FrameState::forgetEntry (this=0xbfffbb54, fe=0x8868a8) at ../methodjit/FrameState.cpp:1971
#3  0x002a9a45 in js::mjit::FrameState::storeTop (this=0xbfffbb54, target=0x8868a8, popGuaranteed=true, type=JSVAL_TYPE_DOUBLE) at ../methodjit/FrameState.cpp:1990
#4  0x002abbb7 in js::mjit::FrameState::storeLocal (this=0xbfffbb54, n=0, popGuaranteed=true, type=JSVAL_TYPE_DOUBLE) at ../methodjit/FrameState.cpp:1927
#5  0x00291d9f in js::mjit::Compiler::generateMethod (this=0xbfffb5fc) at ../methodjit/Compiler.cpp:1669
#6  0x002977f2 in js::mjit::Compiler::performCompilation (this=0xbfffb5fc, jitp=0x715674) at ../methodjit/Compiler.cpp:257
#7  0x002979da in js::mjit::Compiler::compile (this=0xbfffb5fc) at ../methodjit/Compiler.cpp:142
#8  0x002e922e in js::mjit::Recompiler::recompile (this=0xbffff350, fp=0x1000078, patches=@0xbffff228, sites=@0xbffff180, natives=@0xbffff1f0, doublePatches=@0xbffff1b8, recompilations=0) at ../methodjit/Retcon.cpp:430
#9  0x002e9f67 in js::mjit::Recompiler::recompile (this=0xbffff350) at ../methodjit/Retcon.cpp:374
#10 0x0031593a in js::types::TypeCompartment::processPendingRecompiles (this=0x809674, cx=0x70b420) at ../jsinfer.cpp:1601
#11 0x0031e163 in js::types::TypeCompartment::addDynamicPush (this=0x809674, cx=0x70b420, code=@0x715e00, index=0, type=5) at ../jsinfer.cpp:1584
#12 0x001b01ac in JSScript::typeMonitorResult (this=0x715620, cx=0x70b420, pc=0x71568b "\"W", index=0, type=5) at jsinferinlines.h:591
#13 0x000f50a6 in JSScript::typeMonitorOverflow (this=0x715620, cx=0x70b420, pc=0x71568b "\"W", index=0) at jsinferinlines.h:607
#14 0x002730ec in js::mjit::stubs::Neg (f=@0xbffff4d0) at ../methodjit/StubCalls.cpp:1403
#15 0x006ce2db in ?? ()
---
Attached patch fixSplinter Review 
Yeah, it's recompiling after the Neg.  Even if the inference sees that an operand to an arithmetic operation could be undefined, it assumes that won't actually happen and will recompile if it does and produces an unexpected double.  The problem is later, at 'a = b', where the FrameState rearranges things internally so that 'b' (an int) is a copy of 'a' (a double).  This causes the backing for b to get converted to an FP register, but we incorrectly left b itself marked as an int.  This is in FrameState::storeTop, which is now one of the hairiest parts of the FrameState and surely has more bugs.

http://hg.mozilla.org/projects/jaegermonkey/rev/4d0b24613dd8
Assignee: general → bhackett1024
Whiteboard: fixed-in-jaegermonkey
Blocks: infer-regress
No longer blocks: TypeInference
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: