Last Comment Bug 688968 - Assertion failure: copied == 0, at ../methodjit/FrameEntry.h:179
: Assertion failure: copied == 0, at ../methodjit/FrameEntry.h:179
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla10
Assigned To: Brian Hackett (:bhackett)
:
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-09-24 05:30 PDT by Christian Holler (:decoder)
Modified: 2013-01-19 14:19 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (1.63 KB, patch)
2011-09-30 12:14 PDT, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Review

Description Christian Holler (:decoder) 2011-09-24 05:30:42 PDT
The following test asserts on mozilla-central revision fecae145d884 (options -m -n -a):


function foo(x) {
  x === x--;
}
foo(1.2);
Comment 1 Brian Hackett (:bhackett) 2011-09-30 12:14:51 PDT
Created attachment 563800 [details] [diff] [review]
patch

Bogus assert.  There's a special path we take when code like 'x === x' shows up to test for NaN.  It needs normal registers, and if the entry is a known double we forget that so we can get the registers (probably generating some pretty bad code; this path hasn't been updated for TI).  The botch happens when we forget the lhs is a double, the fix pops the rhs first (it is no longer needed) so the lhs is not copied.
Comment 2 Brian Hackett (:bhackett) 2011-10-03 14:52:11 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/db349edef0d6
Comment 3 Matt Brubeck (:mbrubeck) 2011-10-03 16:44:15 PDT
https://hg.mozilla.org/mozilla-central/rev/db349edef0d6
Comment 4 Christian Holler (:decoder) 2013-01-19 14:19:04 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.