Closed Bug 653249 Opened 14 years ago Closed 14 years ago

TI: Assertion failure: backing->data.inMemory() && backing != fe, at ./methodjit/FrameState-inl.h:666

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

The following testcase asserts on TI revision 09cce9915b80 (run with -m -n -a), tested on 64 bit: function testUnaryImacros() { function checkArg(x) { o = { valueOf: checkArg } } var v = 0; v += +toString; for (var i = 0; i;) { v += [].checkArg.checkArg; } }(testUnaryImacros(), "valueOf passed, toString passed");
Obscure case when the compiler is manipulating a variable with an empty type set (causing it to be treated as unknown), which is merged into an SSA phi node with double type (due to other possible values for the variable which are definitely doubles). We can just coerce such unknown variables into doubles before branching, without needing to revert them afterwards as for int->double branching (any code manipulating values with empty type sets will never actually run). http://hg.mozilla.org/projects/jaegermonkey/rev/e0d5de48aafb
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug653249.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.