642198 - TI: Assertion failure: !fe->isType(JSVAL_TYPE_DOUBLE), at ./methodjit/FrameState-inl.h:793

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following test case (run with -n -a -m) asserts on TI tip (tested on 64
bit):

test();
function test()
{
  for (var i = 0; i < 2; ++i) {
    for (var e = 0; "FUN1 = new Function( 'a','b','c', 'return FUN1.length' ); FUN1.length"; ++e) {
    }
  }  
}

Comment 1

[Jan de Mooij [:jandem]]

Attachment: Patch

Looks like we should not call syncData for known doubles and known doubles are synced later on. This fixes the assert and passes jit-tests and jstests. Please review carefully, I don't trust my understanding of FrameState.cpp at all.

Comment 2

[Brian Hackett [Laid off!]]

I think that in the case where fe->isType(JSVAL_TYPE_DOUBLE), you want to call syncFe (which can be done for doubles without eviction) to sync the whole entry at the branch target.  After the second pass, all registers required to be synced at the target should have been synced.

Comment 3

[Jan de Mooij [:jandem]]

Attachment: Patch v2

As discussed on IRC, we can call syncFe instead of syncData. This fixes the test and passes jit-tests and jstests with -m -n -a. I won't have much time to work on this tomorrow so feel free to steal.

Comment 4

[Brian Hackett [Laid off!]]

http://hg.mozilla.org/projects/jaegermonkey/rev/deb49a09d553

Comment 5

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug642198.js.