621655 - TypeInference: JM: "Assertion failure: !fe->isType(JSVAL_TYPE_DOUBLE)"

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jesse Ruderman]

./js -m
for (p in .3) { }

Assertion failure: !fe->isType(JSVAL_TYPE_DOUBLE), 
at methodjit/FrameState-inl.h:463

The first bad revision is:
changeset:   http://hg.mozilla.org/projects/jaegermonkey/rev/0cd7e38f0b39
user:        Brian Hackett
date:        Fri Oct 29 08:05:55 2010 -0700
summary:     [INFER] Javascript type inference, bug 557407.

Comment 1

[Jan de Mooij [:jandem]]

Attachment: Fix

Type inference assigns a double type to the stack slots for the ITER/FOR* opcodes and sets ignoreTypeTag to true. moreIter then calls fixDoubleTypes, which ignores this flag, and assigns a double tag to the iterator object. moreIter then calls tempRegForData and this asserts because it does not expect a double.

This patch adds a check for ignoreTypeTag to fixDoubleTypes. I had to rewrite the loop to be more like the one in restoreAnalysisTypes, so I could access the ignoreTypeTag flag.

Comment 2

[Brian Hackett [Laid off!]]

This will I think be unnecessary after the patch for bug 621301 lands tonight (will double check).  That changes things so that types are restored/fixed only for locals and args at basic block boundaries, mirroring the regalloc.  ignoreTypeTag is gone (along with TypeStack), but the horrible iteration hack is still there and can probably bite in other ways --- should find a cleaner fix.

Comment 3

[Brian Hackett [Laid off!]]

This testcase works now.

http://hg.mozilla.org/projects/jaegermonkey/rev/fbeecf1d1f4c

Comment 4

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug621655.js.