Closed Bug 681006 Opened 9 years ago Closed 9 years ago

TI: Assertion failure: !fe->data.inRegister(), at methodjit/FrameState-inl.h:966

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

The following testcase asserts on TI revision 8fe193e034cb (run with -j -m -n -a), tested on 64 bit. Original test was produced by anion (fuzzer by adrake):

function f0(p0,p1) {
    var v3;
    do {
        p1 > v3
        v3=1.7
    } while (p1 * v0 > p0);
    + v3;
}
f0(4105,8307);
Ooh, another old regalloc bug.  When handling branches to opcodes that have phi nodes degrading type information (so that information about a var is less precise at the target than at the source of the branch), we did not have complete handling for the case where the var is known-double at the source but unknown at the target.  The frame could use a normal register for the variable, and after the branch this register would not be forgotten even though the variable is still known-double in the fallthrough.  This case is very similar to what we need to do when the var is known-int at the source but known-double at the target, the fix extends the mechanism used in that case.

http://hg.mozilla.org/projects/jaegermonkey/rev/b9a48e6f870e
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug681006.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.