Closed Bug 680842 Opened 13 years ago Closed 13 years ago

TI: Assertion failure: [infer failure] Missing type for this: <0x7f2806317298> at jsinfer.cpp:336

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase) 

The following testcase asserts on TI revision 8fe193e034cb (run with -j -m -n -a), tested on 64 bit:


var gTestcases = new Array;
var gTc = gTestcases;
var msg = '';
function TestCase(n, d, e, a)
gTestcases[gTc++]=this;TestCase.prototype.dump=function () {
  lines = msg
  for (var i=0; i<lines; ) {  }
}
function writeHeaderToLog( string ) {
  for (var i = 0; ; i++)
  gTestcases[i].dump()
}
try {
  TIME_2000 = 946684800000
} catch (exc1) {}
addNewTestCase( Date, 999 );
addNewTestCase( Date,TIME_2000 )( writeHeaderToLog( 2000,0,1,0,0,0,0), 0 );
function addNewTestCase( DateCase, DateString, ResultArray ) {
  new TestCase
  Date.prototype=new TestCase
}
The TypeFailure function is called here from stubs::AssertArgumentTypes in methodjit/StubCalls.cpp. Looks like the call is either wrong or the TypeString returned is broken.
Tricky issue with objects that have lazily generated types.  Before their types have been generated, these objects have the default 'new' type for their prototype (so that obj->getProto doesn't have to do anything complicated).  However, when generating code to test type barriers containing this default 'new' type, we would get a spurious match for singleton objects with such lazily generated types, and would not update the pushed types accordingly.

The fix adds an extra branch when testing type barriers containing objects, to separate out the cases for objects with/without singleton types.  This branch could be eliminated in many cases with a small amount of extra analysis/complexity, but for now I'd rather wait and see if there is such a need.

http://hg.mozilla.org/projects/jaegermonkey/rev/ffd0982472fa
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug680842.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.