Last Comment Bug 687125 - Assertion failure: fe->isType(type), at methodjit/Compiler.cpp:7187
: Assertion failure: fe->isType(type), at methodjit/Compiler.cpp:7187
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla9
Assigned To: Brian Hackett (:bhackett)
:
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-09-16 11:18 PDT by Christian Holler (:decoder)
Modified: 2013-01-19 14:35 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (1.30 KB, patch)
2011-09-22 21:59 PDT, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2011-09-16 11:18:42 PDT
The following test asserts on mozilla-central revision f3f5d8a8a473 (options -m -n):


function MakeDay( year, month, date ) {
  date = ToInteger(date );
  var t = ( year < 1970 ) ? 1 :  0;
  return ( (Math.floor(t/86400000)) + date - 1 );
}
function MakeDate( day, time ) {
  if ( day == Number.POSITIVE_INFINITY || day == Number.NEGATIVE_INFINITY ) {  }
}
function ToInteger( t ) {
  var sign = ( t < 0 ) ? -1 : 1;
  return ( sign * Math.floor( Math.abs( t ) ) );
}
var UTCDate = MyDateFromTime( Number("946684800000") );
function MyDate() {
  this.date = 0;
}
function MyDateFromTime( t ) {
  var d = new MyDate();
  d.value = ToInteger( MakeDate( MakeDay( d.year, d.month, d.date ), d.time ) );
  while (Uint32Array) if (0 == 100000) return;     
}


Although this is the same assert as in Bug 684084, which is fixed in jaegermonkey but not on m-c, this seems to be another bug as I can reproduce on both branches.
Comment 1 Brian Hackett (:bhackett) 2011-09-22 21:59:24 PDT
Created attachment 561968 [details] [diff] [review]
patch

When deciding which calls to inline, we would allow inlining of functions which have not been analyzed.  These functions were then analyzed in order to compile them, and such analysis could change types and break properties of the code which we checked while deciding to inline, and which the compiler later depended on (in this case, that inlined call sites have no type barriers).
Comment 2 Brian Hackett (:bhackett) 2011-09-23 07:03:57 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/2b64fbd502a3
Comment 3 Ed Morley [:emorley] 2011-09-23 20:55:09 PDT
https://hg.mozilla.org/mozilla-central/rev/2b64fbd502a3

Please could you use the "take this bug" checkbox when attaching patches, since it would save me needing to correct assignee each time on merging. Thanks :-)
Comment 4 Christian Holler (:decoder) 2013-01-19 14:35:27 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.