Closed Bug 680809 Opened 8 years ago Closed 8 years ago

TI: Assertion failure: alloc && !alloc->assigned(reg), at methodjit/LoopState.cpp:515

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: js-triage-needed)

The following testcase asserts on TI revision a2bbe9c999b4 (run with -j -m -n), tested on 64 bit. Original test was produced by anion (fuzzer by adrake):

function f0(p0) {
    var v0;
    v0 = 1.7;
    loop0: while (v0) {
        v0 = p0;
    }
}
print(f0(3350));
When marking loop-carried registers we need to keep track of whether the target of the entry jump into the loop has been passed during the compiler's scan, so that the register will be loaded before that entry jump (the backedge does not dominate the entry's jump target).  We set this flag too early, before the entry register allocation had been computed, and if register state was modified while coercing ints into doubles for phi nodes at the entry point then the entry register state was updated before it had been constructed.

http://hg.mozilla.org/projects/jaegermonkey/rev/d7217d210771
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/loops/bug680809.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.