Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 655990 - TI: Assertion failure: !fe->isNotType(JSVAL_TYPE_DOUBLE), at methodjit/FrameState.cpp:715
: TI: Assertion failure: !fe->isNotType(JSVAL_TYPE_DOUBLE), at methodjit/FrameS...
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
Reported: 2011-05-10 05:23 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 07:58 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description Christian Holler (:decoder) 2011-05-10 05:23:27 PDT
The following testcase asserts on TI revision 32e8c937a409 (run with -m -n -a),
tested on 64 bit:

function test() {
    function f(a, b, c) {
        return c;
    if (gczeal == 'function') actual = f(1.5, 1.25, 1.125)
    else expect;
    (expect, actual, summary);
    var actual = '';
Comment 1 Brian Hackett (:bhackett) 2011-05-10 08:12:18 PDT
Regalloc bug from the SSA conversion.  When branching and computing the register allocation at the target bytecode, we assign FP registers at the target to any variables which are currently in FP registers and meet some other criteria.  However, with SSA we can have a variable which is a known double at the branch but is not known to be anything at the target, and would still assign an FP register at the target.  The fix filters out such variables from the register allocation, by looking at types of the target's phi nodes.
Comment 2 Christian Holler (:decoder) 2013-01-14 07:58:43 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug655990.js.

Note You need to log in before you can comment on or make changes to this bug.