Last Comment Bug 649824 - TI: Assertion failure: f.fp()->hasCallObj() || f.fp()->hasArgsObj(), at ./methodjit/InvokeHelpers.cpp:530
: TI: Assertion failure: f.fp()->hasCallObj() || f.fp()->hasArgsObj(), at ./met...
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: Jan de Mooij [:jandem]
:
: Jason Orendorff [:jorendorff]
Mentors:
: 649936 (view as bug list)
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-04-13 15:08 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:29 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Patch (1.94 KB, patch)
2011-04-14 02:50 PDT, Jan de Mooij [:jandem]
no flags Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2011-04-13 15:08:59 PDT
The following testcase asserts on TI revision a3eeee8f7803 (run with -m -n -a),
tested on 64 bit:

var o = {
    w: 2,
    x: 3
};
var o = 430717;
o.x = 4;
Comment 1 Jan de Mooij [:jandem] 2011-04-14 02:50:43 PDT
Created attachment 525968 [details] [diff] [review]
Patch

lhs->isTypeKnown() returned true after the call to frame.shimmy, so we did not rejoin from the OOL call to stubs::SetName and marched right into PutActivationObjects.
Comment 2 Jan de Mooij [:jandem] 2011-04-14 03:38:33 PDT
*** Bug 649936 has been marked as a duplicate of this bug. ***
Comment 3 Brian Hackett (:bhackett) 2011-04-14 15:00:13 PDT
Ah, noticed this and fixed it in rev dca50d9a5047, we also did the same thing in jsop_getprop (internet blackout since yesterday afternoon, sorry).  I'll add the testcase.
Comment 4 Christian Holler (:decoder) 2013-01-14 08:29:43 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug649824.js.

Note You need to log in before you can comment on or make changes to this bug.