687399 - Assertion failure: copied == 0, at ../methodjit/FrameEntry.h:180

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following test assert on mozilla-central revision 06445f55f009 (options -m -n -a):


if (!this.emulatedJSON) {
    emulatedJSON = function () {
        function stringify(value, whitelist) {
            var a, i, v;
            switch (typeof value) {
            case 'string':
                if (!(value.propertyIsEnumerable('length'))) {
                    for (i = 0; i < l; i += 1) {
                        k = whitelist[i];
                        if (typeof k === 'string') {
                            if (i %= 'not visited') {}
                        }
                    }
                }
            }
        }
        return {
            stringify: stringify,
        };
    }();
    var testPairs = [ ['{"five":5}'] ]
    for (var i = 0; i < testPairs.length; i++) {
        var pair = testPairs[i];
        var s = emulatedJSON.stringify(pair[1])
    }
}

Comment 1

[Brian Hackett [Laid off!]]

Attachment: patch

Bogus assertion.  In scripts which have switch or try blocks we don't track variables using the SSA and need to forget about known doubles when branching to a location where the slot is in a normal register (with SSA this is done in the compiler rather than frame state).  To mark the type as unknown, fe->resetSynced was used, which only wants to be called on non-copied frame entries.  A copy is possible here, so the fix just explicitly marks the type/data of the entry as in memory.

Comment 2

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/65d1dc5881f0

Comment 3

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/65d1dc5881f0

Comment 4

[Christian Holler (:decoder)]

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929