Closed Bug 656259 Opened 12 years ago Closed 12 years ago

TI: Assertion failure: !fe->data.inRegister(), at methodjit/FrameState-inl.h:909

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

Christian Holler (:decoder)

Reporter

Description

•

12 years ago

The following testcase asserts on TI revision fd1abc43d698 (run with -m -n -a),
tested on 64 bit:


function throwsRangeError(t) {
    try {
        t: for (t[t++] in object) {
            t++
            break t;
        }
        date(t)
    } catch (err) {}
}
throwsRangeError(Infinity);

Brian Hackett [Laid off!]

Comment 1

•

12 years ago

Oversight, we would allow register allocations at join points to assign FP registers to entries which weren't being tracked by the analysis (only possible in scripts with try or switch blocks), and which we don't require to match analysis information at join points.

http://hg.mozilla.org/projects/jaegermonkey/rev/2178344055f5

Status: NEW → RESOLVED

Closed: 12 years ago

Resolution: --- → FIXED

Christian Holler (:decoder)

Reporter

Comment 2

•

11 years ago

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug656259.js.

Flags: in-testsuite+

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

TI: Assertion failure: !fe->data.inRegister(), at methodjit/FrameState-inl.h:909

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2