Closed
Bug 772901
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: false (Bad SSA value), at ../jsanalyze.h:1069
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
5.34 KB,
patch
|
sstangl
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on ionmonkey revision 3ff7d89ec13d (run with --ion -n -m --ion-eager):
function f(x) {
delete ((x)++);
arguments[0] !== undefined;
}
f(1, x = [f.ArrayBuffer,unwatch.Int32Array], this, this, this) ;
|
Assignee | |
Comment 1•12 years ago
|
||
status update on whether LOCALINC will plague me in this JIT too: yes
|
||
Comment 2•12 years ago
|
||
Comment on attachment 641294 [details] [diff] [review]
fix
Review of attachment 641294 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/ion/TypeOracle.cpp
@@ +133,5 @@
> }
>
> + BinaryTypes b;
> + b.lhsTypes = types;
> + b.rhsTypes = NULL;
This is strange, but works since the value is unused in jsop_incslot. Since this isn't a binary operation anyway, would it just be possible to use pushedTypeSet()? JM does this in its jsop_localinc().
Attachment #641294 -
Flags: review?(sstangl) → review+
|
|
Assignee | |
Comment 3•12 years ago
|
||
Actually yeah I think returning UnaryTypes would make more sense, but MAdd::infer() only takes a BinaryTypes. I'll leave it alone for now...
http://hg.mozilla.org/projects/ionmonkey/rev/66aac8e7a214
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 4•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug772901.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•