Closed Bug 685472 Opened 8 years ago Closed 8 years ago

Assertion failure: !thisFe->isNotType(JSVAL_TYPE_OBJECT), at methodjit/Compiler.cpp:5574

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla10
Tracking Status
firefox7 --- unaffected
firefox8 --- unaffected
firefox9 + affected
firefox10 + ---

People

(Reporter: decoder, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: js-triage-needed [qa+])

Attachments

(2 files)

The following test crashes on mozilla-central revision b7d269a291b6 (options -m -n -a):


function Integer(value, exception) {
    try {} catch (e) {}
    new(value = this)(this.value);
    Math.floor(({})[value.Math, this].abstract) 
}
new Integer(3, false);
This does not seem to be a recent regression, it seems to go back into the TI branch (before merge to m-c). Also affects aurora now.
Attached patch patchSplinter Review
Bogus assert, and incomplete fix from bug 684084.  When a script has never executed, the compiler could get tricked into thinking the 'this' value is not an object.  In such cases, the code being generated will never actually run.
Assignee: general → bhackett1024
Attachment #565096 - Flags: review?(dvander)
Attachment #565096 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/e4f083b20def

please check tree-management, one of these recent patches regressed V8
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10
It looks possible that this slightly regressed v8bench --- the corner case this is fixing hits on v8-raytrace due to a bug in getKnownTypeTag.  For a type set which contains just the ANYOBJECT type (it can contain any object, and nothing else), getKnownTypeTag would return JSVAL_TYPE_UNKNOWN.
Attachment #568469 - Flags: review?(dvander)
Attachment #568469 - Flags: review?(dvander) → review+
Is this a major concern for FF8? Please nominate for beta approval if so.
Whiteboard: js-triage-needed → js-triage-needed [qa+]
Depends on: 723574
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.