Closed Bug 765477 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: v.isBoolean(), at jsobj.cpp:5876

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Assigned: nbp)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,ignore])

Attachments

(1 file)

Do not compiled type info mixed with argument object
7.35 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase asserts on ionmonkey revision de23a9fc29db (run with --ion -n -m --ion-eager):


function f(useArg2, arg2, expect) {
    var args = arguments;
    if (useArg2)
	args = arg2;
    assertEq(args.length, expect);
}
f(false, 0, 3);
f(false, 0, 3);
Assignee: general → nicolas.b.pierron
Every time we check for an argument object, we ensure that this is the uniq flag.
Attachment #634332 - Flags: review?(jdemooij)
Comment on attachment 634332 [details] [diff] [review]
Do not compiled type info mixed with argument object

Review of attachment 634332 [details] [diff] [review]:
-----------------------------------------------------------------

This approach seems reasonable, r=me with nits addressed.

::: js/src/ion/IonBuilder.cpp
@@ +4054,5 @@
>          return jsop_getelem_string();
>  
> +    TypeCertainty isArguments = oracle->elementReadMagicArguments(script, pc);
> +    if (isArguments == UnSure)
> +        return abort("Type tags are messed-up.");

Nit: when reading the spew it would help to know the reason has to do with (lazy) arguments. So maybe something like "Not definitely accessing lazy arguments"?

::: js/src/ion/TypeOracle.cpp
@@ +556,5 @@
>  {
>      return getMIRType(script->analysis()->pushedTypes(pc, 0));
>  }
>  
> +TypeCertainty

Nit: a small comment here would be good, explaining why we have to do this.

@@ +562,5 @@
>  {
>      types::TypeSet *obj = script->analysis()->poppedTypes(pc, 0);
> +    if (obj->isMagicArguments(cx))
> +        return SureTrue;
> +    if (obj->hasAnyFlag(TYPE_FLAG_LAZYARGS))

Lazy args is not used if "obj" here could be "unknown" right?

::: js/src/ion/TypeOracle.h
@@ +74,5 @@
> +enum TypeCertainty {
> +    UnSure = 0,
> +    SureTrue,
> +    SureFalse
> +};

Nit: something like this seems slightly more readable: LazyArgumentsType { DefinitelyArguments, MaybeArguments, NotArguments };
Attachment #634332 - Flags: review?(jdemooij) → review+
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 3112408514c8).
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
https://hg.mozilla.org/projects/ionmonkey/rev/29aa7b886d50
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug765477.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: