Closed Bug 640614 Opened 9 years ago Closed 9 years ago

TI+JM: Assertion failure: !fe->isType(JSVAL_TYPE_DOUBLE), at ../methodjit/FrameState-inl.h:771

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: fixed-in-jaegermonkey)

--
function f(x) {
    x = Math.floor(1.1+x);
    if (x == 1) {}
}
f(-1.1);
--
Assertion failure: !fe->isType(JSVAL_TYPE_DOUBLE), at ../methodjit/FrameState-inl.h:771

Stack:

#0  0x001f31e9 in JS_Assert (s=0x38311c "!fe->isType(JSVAL_TYPE_DOUBLE)", file=0x38c78e "../methodjit/FrameState-inl.h", ln=771) at ../jsutil.cpp:80
#1  0x002e09f2 in js::mjit::FrameState::syncType (this=0xbfffb860, fe=0x8af580) at FrameState-inl.h:771
#2  0x002e0fb8 in js::mjit::FrameState::syncFe (this=0xbfffb860, fe=0x8af580) at FrameState-inl.h:716
#3  0x002e7d63 in js::mjit::FrameState::ensureDouble (this=0xbfffb860, fe=0x8af480) at ../methodjit/FrameState.cpp:1680
#4  0x002b56a9 in js::mjit::Compiler::fixDoubleTypes (this=0xbfffb31c, uses={nuses = 2}) at ../methodjit/Compiler.cpp:5599
This is with -m -n -a.
Reduced a bit:
--
function f(x) {
    x = 2 ^ x++;
    if (x) {}
}
f(1.1);
--
Whiteboard: fixed
Same problem as bug 640102, using entries from the tracker which are >= sp.  I looked through FrameState.cpp and found/fixed another one of these, in hasOnlyCopy (used for register allocation, but that bug should lead to worse code rather than wrong behavior).

http://hg.mozilla.org/projects/jaegermonkey/rev/154ac7e67f8b
Whiteboard: fixed → fixed-in-jaegermonkey
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.