Closed Bug 658294 Opened 12 years ago Closed 12 years ago

TI: Assertion failure: v.isNumber() || v.isBoolean(), at jsobj.cpp:6578

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase) 

The following testcase asserts on TI revision 4dff743ec04d (run with -j -m -n -a), tested on 64 bit:

test();
function test()
{
  try {
    instances = []
    for (var i = 0; i != 2; ++i) 
    instances[i]=constructor
    var i = 0;
    var instance = instances[i];
    var name = instance.name;
    for (var j = 1; j != instances; ++j) 
    if (i != j && instance instanceof name[j].constructor) {}
  } catch(ex) {}
}
test();
On some paths through stubs::GetElem and ic::GetElement/CallElement, we did not call typeMonitor before returning to update type information for the result of the access (grumble... x2).

http://hg.mozilla.org/projects/jaegermonkey/rev/3a894ab530ae
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug658294.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.