Assertion failure: !fe->data.inRegister(), at methodjit/FrameState-inl.h:977

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
x86_64
Linux
assertion, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox9-)

Details

(Whiteboard: fixed-in-jaegermonkey)

(Reporter)

Description

6 years ago
The following test asserts on mozilla-central revision a351ae35f2c4 (options -m -n -a):


function f0(p0,p1) {
    var v3;
    do {
        p1 > v3
        v3=1.7
    } while (((p0[p1][5]==1)||(p0[p1][5]==2)||(p0[p1][5] == 3)) + 0 > p0);
    + (v3(f0));
}
f0(4105,8307);


Note: The specified mozilla-central revision had a build problem with standalone shell, patch from http://hg.mozilla.org/integration/mozilla-inbound/rev/fff3dc9478ce fixes this.
Wrong test used when identifying entries whose type weakens from double to unknown on a branch, and need to be reset if used to hold a GP reg on the branch.  The frame entry itself was tested, rather than the known type information shadowing the frame entry, and the frame entry is not required to reflect that known type.  Before branching to a bytecode where the entry was in a GP reg, that reg was loaded for the entry's payload but not forgotten after the branch finished.

http://hg.mozilla.org/projects/jaegermonkey/rev/370d051a4c95
Whiteboard: js-triage-needed → fixed-in-jaegermonkey

Updated

6 years ago
Duplicate of this bug: 684789
Requesting tracking for Firefox 9 to make sure we merge this to m-c, since otherwise bug 684789 is a problem.
tracking-firefox9: --- → ?
http://hg.mozilla.org/mozilla-central/rev/370d051a4c95
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Updated

6 years ago
tracking-firefox9: ? → -
(Reporter)

Comment 5

4 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug684576.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.