Last Comment Bug 685472 - Assertion failure: !thisFe->isNotType(JSVAL_TYPE_OBJECT), at methodjit/Compiler.cpp:5574
: Assertion failure: !thisFe->isNotType(JSVAL_TYPE_OBJECT), at methodjit/Compil...
js-triage-needed [qa+]
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: mozilla10
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
Depends on: 723574
Blocks: langfuzz
  Show dependency treegraph
Reported: 2011-09-08 01:54 PDT by Christian Holler (:decoder)
Modified: 2013-01-19 14:27 PST (History)
9 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (2.60 KB, patch)
2011-10-05 17:47 PDT, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Splinter Review
fix TypeSet::getKnownTypeTag (636 bytes, patch)
2011-10-20 12:26 PDT, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2011-09-08 01:54:50 PDT
The following test crashes on mozilla-central revision b7d269a291b6 (options -m -n -a):

function Integer(value, exception) {
    try {} catch (e) {}
    new(value = this)(this.value);
    Math.floor(({})[value.Math, this].abstract) 
new Integer(3, false);
Comment 1 User image Christian Holler (:decoder) 2011-10-05 14:03:54 PDT
This does not seem to be a recent regression, it seems to go back into the TI branch (before merge to m-c). Also affects aurora now.
Comment 2 User image Brian Hackett (:bhackett) 2011-10-05 17:47:46 PDT
Created attachment 565096 [details] [diff] [review]

Bogus assert, and incomplete fix from bug 684084.  When a script has never executed, the compiler could get tricked into thinking the 'this' value is not an object.  In such cases, the code being generated will never actually run.
Comment 3 User image Brian Hackett (:bhackett) 2011-10-19 08:26:46 PDT
Comment 4 User image Marco Bonardo [::mak] 2011-10-20 02:59:55 PDT

please check tree-management, one of these recent patches regressed V8
Comment 5 User image Brian Hackett (:bhackett) 2011-10-20 12:26:40 PDT
Created attachment 568469 [details] [diff] [review]
fix TypeSet::getKnownTypeTag

It looks possible that this slightly regressed v8bench --- the corner case this is fixing hits on v8-raytrace due to a bug in getKnownTypeTag.  For a type set which contains just the ANYOBJECT type (it can contain any object, and nothing else), getKnownTypeTag would return JSVAL_TYPE_UNKNOWN.
Comment 6 User image Brian Hackett (:bhackett) 2011-10-22 07:22:28 PDT
Comment 7 User image Ed Morley [:emorley] 2011-10-23 09:31:17 PDT
Comment 8 User image Alex Keybl [:akeybl] 2011-12-05 19:19:39 PST
Is this a major concern for FF8? Please nominate for beta approval if so.
Comment 9 User image Christian Holler (:decoder) 2013-01-19 14:27:21 PST
Automatically extracted testcase for this bug was committed:

Note You need to log in before you can comment on or make changes to this bug.