Closed Bug 656259 Opened 13 years ago Closed 13 years ago

TI: Assertion failure: !fe->data.inRegister(), at methodjit/FrameState-inl.h:909

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

The following testcase asserts on TI revision fd1abc43d698 (run with -m -n -a), tested on 64 bit: function throwsRangeError(t) { try { t: for (t[t++] in object) { t++ break t; } date(t) } catch (err) {} } throwsRangeError(Infinity);
Oversight, we would allow register allocations at join points to assign FP registers to entries which weren't being tracked by the analysis (only possible in scripts with try or switch blocks), and which we don't require to match analysis information at join points. http://hg.mozilla.org/projects/jaegermonkey/rev/2178344055f5
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug656259.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.