TI: Crash [@ js::types::TypeSet::add] or "Assertion failure: v.kind() != SSAValue::EMPTY && pv->value.kind() != SSAValue::EMPTY,"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, 4 keywords)

Trunk
x86
Mac OS X
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

6 years ago
(function() {
    for (a in [0]) {
        try {
            return
        } catch(e) {}
    }
})()

crashes js opt shell on JM changeset 90a7b141e0cf with -m, -a and -n at js::types::TypeSet::add and asserts js debug shell at Assertion failure: v.kind() != SSAValue::EMPTY && pv->value.kind() != SSAValue::EMPTY,

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   68276:90a7b141e0cf
tag:         tip
user:        Brian Hackett
date:        Fri Apr 22 07:59:45 2011 -0700
summary:     [INFER] Bytecode SSA analysis, bug 650715.
(Reporter)

Comment 1

6 years ago
Another assertion message floating around is:

Assertion failure: v.kind() != SSAValue::EMPTY

but I'm assuming they're related.
Weird situation in scripts with switch or try blocks, 'for in' iterators and return statements within those iterators.  The SSA analysis doesn't track control flow for scripts with switch and try blocks (oversight which should be fixed), and assumes the stack is balanced within these opcodes, a property which does not hold if ENDITERs are introduced to handle return statements that close any iterators active outside the try/switch block.

http://hg.mozilla.org/projects/jaegermonkey/rev/460da05aa26f
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::types::TypeSet::add]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug652314.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.