Last Comment Bug 651155 - TI: Assertion failure: !f.script()->failedBoundsCheck, at ./methodjit/StubCalls.cpp:2913
: TI: Assertion failure: !f.script()->failedBoundsCheck, at ./methodjit/StubCal...
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-04-19 09:08 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 07:56 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Christian Holler (:decoder) 2011-04-19 09:08:08 PDT
The following testcase asserts on TI revision d78eef12a329 (run with -m -n -a),
tested on 32 bit:

ForIn_2();
function ForIn_2( object ) {
  PropertyArray=new Array;
  var PropertyArray = 'Do not assert: !cx->throwing';
  for ( i in object ) PropertyArray.length-1;
}
Comment 1 Brian Hackett (:bhackett) 2011-04-19 22:56:14 PDT
We would try to generate loop invariant array lengths for scripts that previously had invariant failures (in this case, from trying to hoist the length of something that isn't actually an array).  If a script has checks fail when generating its loop invariants then future compilations shouldn't hoist any invariants at all (maybe over-aggressive).

http://hg.mozilla.org/projects/jaegermonkey/rev/e5efb8c97426
Comment 2 Christian Holler (:decoder) 2013-01-14 07:56:38 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/loops/bug651155.js.

Note You need to log in before you can comment on or make changes to this bug.