Last Comment Bug 685472 - Assertion failure: !thisFe->isNotType(JSVAL_TYPE_OBJECT), at methodjit/Compiler.cpp:5574
: Assertion failure: !thisFe->isNotType(JSVAL_TYPE_OBJECT), at methodjit/Compil...
Status: RESOLVED FIXED
js-triage-needed [qa+]
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla10
Assigned To: Brian Hackett (:bhackett)
:
Mentors:
Depends on: 723574
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-09-08 01:54 PDT by Christian Holler (:decoder)
Modified: 2013-01-19 14:27 PST (History)
9 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
unaffected
+
affected
+


Attachments
patch (2.60 KB, patch)
2011-10-05 17:47 PDT, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Review
fix TypeSet::getKnownTypeTag (636 bytes, patch)
2011-10-20 12:26 PDT, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Review

Description Christian Holler (:decoder) 2011-09-08 01:54:50 PDT
The following test crashes on mozilla-central revision b7d269a291b6 (options -m -n -a):


function Integer(value, exception) {
    try {} catch (e) {}
    new(value = this)(this.value);
    Math.floor(({})[value.Math, this].abstract) 
}
new Integer(3, false);
Comment 1 Christian Holler (:decoder) 2011-10-05 14:03:54 PDT
This does not seem to be a recent regression, it seems to go back into the TI branch (before merge to m-c). Also affects aurora now.
Comment 2 Brian Hackett (:bhackett) 2011-10-05 17:47:46 PDT
Created attachment 565096 [details] [diff] [review]
patch

Bogus assert, and incomplete fix from bug 684084.  When a script has never executed, the compiler could get tricked into thinking the 'this' value is not an object.  In such cases, the code being generated will never actually run.
Comment 3 Brian Hackett (:bhackett) 2011-10-19 08:26:46 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/e4f083b20def
Comment 4 Marco Bonardo [::mak] 2011-10-20 02:59:55 PDT
https://hg.mozilla.org/mozilla-central/rev/e4f083b20def

please check tree-management, one of these recent patches regressed V8
Comment 5 Brian Hackett (:bhackett) 2011-10-20 12:26:40 PDT
Created attachment 568469 [details] [diff] [review]
fix TypeSet::getKnownTypeTag

It looks possible that this slightly regressed v8bench --- the corner case this is fixing hits on v8-raytrace due to a bug in getKnownTypeTag.  For a type set which contains just the ANYOBJECT type (it can contain any object, and nothing else), getKnownTypeTag would return JSVAL_TYPE_UNKNOWN.
Comment 6 Brian Hackett (:bhackett) 2011-10-22 07:22:28 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/5622da118913
Comment 7 Ed Morley [:emorley] 2011-10-23 09:31:17 PDT
https://hg.mozilla.org/mozilla-central/rev/5622da118913
Comment 8 Alex Keybl [:akeybl] 2011-12-05 19:19:39 PST
Is this a major concern for FF8? Please nominate for beta approval if so.
Comment 9 Christian Holler (:decoder) 2013-01-19 14:27:21 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.