The default bug view has changed. See this FAQ.

IonMonkey: Assertion failure: [infer failure] Missing type pushed 0: <0x102503060>

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: Jesse Ruderman, Assigned: jandem)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Trunk
x86_64
Mac OS X
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
./js --ion-eager

var x;
function f(o) {
    o.prop = x = 3;
}
f({});
try { f(1); } catch (e) {}

Assertion failure: [infer failure] Missing type pushed 0: <0x102503060>, at js/src/jsinfer.cpp:353
(Assignee)

Comment 1

5 years ago
Created attachment 625036 [details] [diff] [review]
Patch

Small bug: the resumepoint after a setgname did not include the value (on top of the stack). The patch moves the resumeAfter call after pushing the value so that the value is still on the stack for the SETPROP in the testcase.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #625036 - Flags: review?(dvander)
(Assignee)

Comment 2

5 years ago
To be more precise, the resumepoint was created before popping the global object and pushing the value, so it includes the global object instead of the value (hence the inference failure, <0x102503060> is a global object).
Comment on attachment 625036 [details] [diff] [review]
Patch

Review of attachment 625036 [details] [diff] [review]:
-----------------------------------------------------------------

Yikes. Good find. I think this was the first function to use resume points.
Attachment #625036 - Flags: review?(dvander) → review+
(Assignee)

Comment 4

5 years ago
https://hg.mozilla.org/projects/ionmonkey/rev/47b283284868
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug755832.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.