Last Comment Bug 684084 - Assertion failure: fe->isType(type), at methodjit/Compiler.cpp:7024
: Assertion failure: fe->isType(type), at methodjit/Compiler.cpp:7024
Status: RESOLVED FIXED
fixed-in-jaegermonkey
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
:
Mentors:
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-09-01 16:18 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:30 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (1.65 KB, patch)
2011-09-02 19:26 PDT, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2011-09-01 16:18:54 PDT
The following testcase asserts on mozilla-central revision fcca99426576 (run with -m -n -a), tested on 64 bit:


function Integer( value, exception ) {
  try {  } catch ( e ) {  }
  new (value = this)( this.value );
  if ( Math.floor(value) != value || isNaN(value) ) {  }
}
new Integer( 3, false );
Comment 1 Brian Hackett (:bhackett) 2011-09-02 19:26:03 PDT
Created attachment 558021 [details] [diff] [review]
patch

For JSOP_THIS in scripts which have not yet had a 'this' value assigned (we are using '-a' and the script has never run), the inferred type set for the value pushed by the op is empty but the compiler still marked it as a double, breaking the invariant that compiler types reflect inferred types.
Comment 2 Brian Hackett (:bhackett) 2011-09-04 13:43:21 PDT
http://hg.mozilla.org/projects/jaegermonkey/rev/77e9502bd20f
Comment 3 Christian Holler (:decoder) 2011-09-06 04:45:00 PDT
Is this really fully fixed? I have another test involving "this" and the same assertion:

function Function() {
    try {
    var g = this;
    g.c("evil", eval);
    } catch(b) {}
}
var o0 = Function.prototype;
var f = new Function( (null ) );


This works on jaegermonkey revision fc5a768a97b5 (which should include your fix already if I'm not mistaken). Also works on m-c, requires options -m -n -a. If this is not the same bug, let me know.
Comment 4 Brian Hackett (:bhackett) 2011-09-12 13:04:56 PDT
The second testcase is a different, though somewhat related issue.  When generating inline code to construct the 'this' value for scripts called with 'new', the compiler could inadvertently update the known 'this' types of the script if the script had never actually been called with 'new' before.  Type sets should never change during compilation (they do if we detect a static integer overflow, but doing this forces compilation to restart).

http://hg.mozilla.org/projects/jaegermonkey/rev/7db908db3669
Comment 5 Brian Hackett (:bhackett) 2011-09-22 14:05:48 PDT
https://hg.mozilla.org/mozilla-central/rev/c943bbf9dac4
Comment 6 Christian Holler (:decoder) 2013-01-14 08:30:51 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug684084-2.js.

Note You need to log in before you can comment on or make changes to this bug.