The default bug view has changed. See this FAQ.

Assertion failure: !thisFe->isNotType(JSVAL_TYPE_OBJECT), at methodjit/Compiler.cpp:5574

RESOLVED FIXED in mozilla10

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla10
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox7 unaffected, firefox8 unaffected, firefox9+ affected, firefox10+)

Details

(Whiteboard: js-triage-needed [qa+])

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
The following test crashes on mozilla-central revision b7d269a291b6 (options -m -n -a):


function Integer(value, exception) {
    try {} catch (e) {}
    new(value = this)(this.value);
    Math.floor(({})[value.Math, this].abstract) 
}
new Integer(3, false);
(Reporter)

Comment 1

6 years ago
This does not seem to be a recent regression, it seems to go back into the TI branch (before merge to m-c). Also affects aurora now.
status-firefox7: --- → unaffected
status-firefox8: --- → unaffected
status-firefox9: --- → affected
Created attachment 565096 [details] [diff] [review]
patch

Bogus assert, and incomplete fix from bug 684084.  When a script has never executed, the compiler could get tricked into thinking the 'this' value is not an object.  In such cases, the code being generated will never actually run.
Assignee: general → bhackett1024
Attachment #565096 - Flags: review?(dvander)
Attachment #565096 - Flags: review?(dvander) → review+
(Reporter)

Updated

6 years ago
status-firefox10: --- → affected
tracking-firefox10: --- → ?
tracking-firefox9: --- → ?
https://hg.mozilla.org/integration/mozilla-inbound/rev/e4f083b20def
tracking-firefox10: ? → +
tracking-firefox9: ? → +
https://hg.mozilla.org/mozilla-central/rev/e4f083b20def

please check tree-management, one of these recent patches regressed V8
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10
Created attachment 568469 [details] [diff] [review]
fix TypeSet::getKnownTypeTag

It looks possible that this slightly regressed v8bench --- the corner case this is fixing hits on v8-raytrace due to a bug in getKnownTypeTag.  For a type set which contains just the ANYOBJECT type (it can contain any object, and nothing else), getKnownTypeTag would return JSVAL_TYPE_UNKNOWN.
Attachment #568469 - Flags: review?(dvander)
Attachment #568469 - Flags: review?(dvander) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/5622da118913
https://hg.mozilla.org/mozilla-central/rev/5622da118913

Comment 8

5 years ago
Is this a major concern for FF8? Please nominate for beta approval if so.
Whiteboard: js-triage-needed → js-triage-needed [qa+]

Updated

5 years ago
status-firefox10: affected → ---

Updated

5 years ago
Depends on: 723574
(Reporter)

Comment 9

4 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.