The default bug view has changed. See this FAQ.

Assertion failure: fe->isType(type), at methodjit/Compiler.cpp:7024

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Trunk
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-jaegermonkey)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following testcase asserts on mozilla-central revision fcca99426576 (run with -m -n -a), tested on 64 bit:


function Integer( value, exception ) {
  try {  } catch ( e ) {  }
  new (value = this)( this.value );
  if ( Math.floor(value) != value || isNaN(value) ) {  }
}
new Integer( 3, false );
Created attachment 558021 [details] [diff] [review]
patch

For JSOP_THIS in scripts which have not yet had a 'this' value assigned (we are using '-a' and the script has never run), the inferred type set for the value pushed by the op is empty but the compiler still marked it as a double, breaking the invariant that compiler types reflect inferred types.
Attachment #558021 - Flags: review?(dvander)
Attachment #558021 - Flags: review?(dvander) → review+
http://hg.mozilla.org/projects/jaegermonkey/rev/77e9502bd20f
Whiteboard: fixed-in-jaegermonkey
(Reporter)

Comment 3

6 years ago
Is this really fully fixed? I have another test involving "this" and the same assertion:

function Function() {
    try {
    var g = this;
    g.c("evil", eval);
    } catch(b) {}
}
var o0 = Function.prototype;
var f = new Function( (null ) );


This works on jaegermonkey revision fc5a768a97b5 (which should include your fix already if I'm not mistaken). Also works on m-c, requires options -m -n -a. If this is not the same bug, let me know.
The second testcase is a different, though somewhat related issue.  When generating inline code to construct the 'this' value for scripts called with 'new', the compiler could inadvertently update the known 'this' types of the script if the script had never actually been called with 'new' before.  Type sets should never change during compilation (they do if we detect a static integer overflow, but doing this forces compilation to restart).

http://hg.mozilla.org/projects/jaegermonkey/rev/7db908db3669
https://hg.mozilla.org/mozilla-central/rev/c943bbf9dac4
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Comment 6

4 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug684084-2.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.