Closed Bug 684084 Opened 8 years ago Closed 8 years ago

Assertion failure: fe->isType(type), at methodjit/Compiler.cpp:7024

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-jaegermonkey)

Attachments

(1 file)

The following testcase asserts on mozilla-central revision fcca99426576 (run with -m -n -a), tested on 64 bit:


function Integer( value, exception ) {
  try {  } catch ( e ) {  }
  new (value = this)( this.value );
  if ( Math.floor(value) != value || isNaN(value) ) {  }
}
new Integer( 3, false );
Attached patch patchSplinter Review
For JSOP_THIS in scripts which have not yet had a 'this' value assigned (we are using '-a' and the script has never run), the inferred type set for the value pushed by the op is empty but the compiler still marked it as a double, breaking the invariant that compiler types reflect inferred types.
Attachment #558021 - Flags: review?(dvander)
Attachment #558021 - Flags: review?(dvander) → review+
Is this really fully fixed? I have another test involving "this" and the same assertion:

function Function() {
    try {
    var g = this;
    g.c("evil", eval);
    } catch(b) {}
}
var o0 = Function.prototype;
var f = new Function( (null ) );


This works on jaegermonkey revision fc5a768a97b5 (which should include your fix already if I'm not mistaken). Also works on m-c, requires options -m -n -a. If this is not the same bug, let me know.
The second testcase is a different, though somewhat related issue.  When generating inline code to construct the 'this' value for scripts called with 'new', the compiler could inadvertently update the known 'this' types of the script if the script had never actually been called with 'new' before.  Type sets should never change during compilation (they do if we detect a static integer overflow, but doing this forces compilation to restart).

http://hg.mozilla.org/projects/jaegermonkey/rev/7db908db3669
https://hg.mozilla.org/mozilla-central/rev/c943bbf9dac4
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug684084-2.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.