Assertion failure: fe->isType(type), at methodjit/Compiler.cpp:7187

RESOLVED FIXED in mozilla9

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla9
assertion, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following test asserts on mozilla-central revision f3f5d8a8a473 (options -m -n):


function MakeDay( year, month, date ) {
  date = ToInteger(date );
  var t = ( year < 1970 ) ? 1 :  0;
  return ( (Math.floor(t/86400000)) + date - 1 );
}
function MakeDate( day, time ) {
  if ( day == Number.POSITIVE_INFINITY || day == Number.NEGATIVE_INFINITY ) {  }
}
function ToInteger( t ) {
  var sign = ( t < 0 ) ? -1 : 1;
  return ( sign * Math.floor( Math.abs( t ) ) );
}
var UTCDate = MyDateFromTime( Number("946684800000") );
function MyDate() {
  this.date = 0;
}
function MyDateFromTime( t ) {
  var d = new MyDate();
  d.value = ToInteger( MakeDate( MakeDay( d.year, d.month, d.date ), d.time ) );
  while (Uint32Array) if (0 == 100000) return;     
}


Although this is the same assert as in Bug 684084, which is fixed in jaegermonkey but not on m-c, this seems to be another bug as I can reproduce on both branches.
(Assignee)

Comment 1

6 years ago
Created attachment 561968 [details] [diff] [review]
patch

When deciding which calls to inline, we would allow inlining of functions which have not been analyzed.  These functions were then analyzed in order to compile them, and such analysis could change types and break properties of the code which we checked while deciding to inline, and which the compiler later depended on (in this case, that inlined call sites have no type barriers).
Attachment #561968 - Flags: review?(dvander)
(Assignee)

Updated

6 years ago
Whiteboard: js-triage-needed
Attachment #561968 - Flags: review?(dvander) → review+
(Assignee)

Comment 2

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/2b64fbd502a3

Comment 3

6 years ago
https://hg.mozilla.org/mozilla-central/rev/2b64fbd502a3

Please could you use the "take this bug" checkbox when attaching patches, since it would save me needing to correct assignee each time on merging. Thanks :-)
Assignee: general → bhackett1024
Status: NEW → RESOLVED
Last Resolved: 6 years ago
OS: Linux → All
Hardware: x86_64 → All
Resolution: --- → FIXED
Target Milestone: --- → mozilla9
(Reporter)

Comment 4

4 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.