Closed
Bug 685472
Opened 13 years ago
Closed 13 years ago
Assertion failure: !thisFe->isNotType(JSVAL_TYPE_OBJECT), at methodjit/Compiler.cpp:5574
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla10
Tracking | Status | |
---|---|---|
firefox7 | --- | unaffected |
firefox8 | --- | unaffected |
firefox9 | + | affected |
firefox10 | + | --- |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(Keywords: assertion, testcase, Whiteboard: js-triage-needed [qa+])
Attachments
(2 files)
2.60 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
636 bytes,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following test crashes on mozilla-central revision b7d269a291b6 (options -m -n -a): function Integer(value, exception) { try {} catch (e) {} new(value = this)(this.value); Math.floor(({})[value.Math, this].abstract) } new Integer(3, false);
Reporter | ||
Comment 1•13 years ago
|
||
This does not seem to be a recent regression, it seems to go back into the TI branch (before merge to m-c). Also affects aurora now.
Assignee | ||
Comment 2•13 years ago
|
||
Bogus assert, and incomplete fix from bug 684084. When a script has never executed, the compiler could get tricked into thinking the 'this' value is not an object. In such cases, the code being generated will never actually run.
Assignee: general → bhackett1024
Attachment #565096 -
Flags: review?(dvander)
Updated•13 years ago
|
Attachment #565096 -
Flags: review?(dvander) → review+
Reporter | ||
Updated•13 years ago
|
Assignee | ||
Comment 3•13 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e4f083b20def
Updated•13 years ago
|
Comment 4•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e4f083b20def please check tree-management, one of these recent patches regressed V8
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10
Assignee | ||
Comment 5•13 years ago
|
||
It looks possible that this slightly regressed v8bench --- the corner case this is fixing hits on v8-raytrace due to a bug in getKnownTypeTag. For a type set which contains just the ANYOBJECT type (it can contain any object, and nothing else), getKnownTypeTag would return JSVAL_TYPE_UNKNOWN.
Attachment #568469 -
Flags: review?(dvander)
Updated•13 years ago
|
Attachment #568469 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 6•13 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/5622da118913
Comment 7•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/5622da118913
Comment 8•13 years ago
|
||
Is this a major concern for FF8? Please nominate for beta approval if so.
Updated•12 years ago
|
status-firefox10:
affected → ---
Reporter | ||
Comment 9•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•