Last Comment Bug 653249 - TI: Assertion failure: backing->data.inMemory() && backing != fe, at ./methodjit/FrameState-inl.h:666
: TI: Assertion failure: backing->data.inMemory() && backing != fe, at ./method...
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
: 653400 (view as bug list)
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
Reported: 2011-04-27 14:45 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 07:47 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Christian Holler (:decoder) 2011-04-27 14:45:52 PDT
The following testcase asserts on TI revision 09cce9915b80 (run with -m -n -a),
tested on 64 bit:

function testUnaryImacros() {
    function checkArg(x) {
        o = {
            valueOf: checkArg
    var v = 0;
    v += +toString;
    for (var i = 0; i;) {
        v += [].checkArg.checkArg;
}(testUnaryImacros(), "valueOf passed, toString passed");
Comment 1 User image Brian Hackett (:bhackett) 2011-05-01 17:37:04 PDT
*** Bug 653400 has been marked as a duplicate of this bug. ***
Comment 2 User image Brian Hackett (:bhackett) 2011-05-01 18:09:10 PDT
Obscure case when the compiler is manipulating a variable with an empty type set (causing it to be treated as unknown), which is merged into an SSA phi node with double type (due to other possible values for the variable which are definitely doubles).  We can just coerce such unknown variables into doubles before branching, without needing to revert them afterwards as for int->double branching (any code manipulating values with empty type sets will never actually run).
Comment 3 User image Christian Holler (:decoder) 2013-01-14 07:47:49 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug653249.js.

Note You need to log in before you can comment on or make changes to this bug.