Closed Bug 677635 Opened 8 years ago Closed 8 years ago

TI: Assertion failure: v.isObject(), at jsnum.cpp:1362

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase, Whiteboard: js-triage-needed)

The following testcase asserts on TI revision bde71d2d88fb (run with -j -m -n -a), tested on 64 bit:


try {
  var index = 0;
} catch (e) {}
test();
function test() {
  try { 
        for(var [message,prettyPrinting]=[arguments,__lookupGetter__];
        message<index;
        [message,prettyPrinting]=[arguments,__lookupGetter__])gczeal(message);
  } catch(ex) {  } 
}
The destructuring assignment here uses LOCAL opcodes to access values pushed by a previous ARGUMENTS opcode, which caused the SSA use chains to be incorrect and the arguments escape analysis to break.  These accesses aren't a problem for TI otherwise as they get marked with unknown type, but any analysis which depends on use chains needs to watch for scripts containing such accesses and behave pessimistically.

http://hg.mozilla.org/projects/jaegermonkey/rev/8a7510ed55aa
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug677635.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.