for (a = 0; a < 4; a++) { new Math.round(0).t } crashes js opt shell on TM tip with -j at js::Interpret and asserts js debug shell on TM tip with -j at Assertion failure: LIR type error (start of writer pipeline): arg 1 of 'ldi' is 'immd' which has type float64 (expected int32): 0 (../nanojit/LIR.cpp:2783) s-s because this is an LIR type error. Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000004 0x0005da5d in js::Interpret () (gdb) bt #0 0x0005da5d in js::Interpret () #1 0x0006e68b in js::Execute () #2 0x00014b68 in JS_ExecuteScript () #3 0x00005dfc in Process () #4 0x00009696 in shell () #5 0x00009ba7 in main () (gdb) x/i $eip 0x5da5d <_ZN2js9InterpretEP9JSContext+7053>: cmp %eax,0x4(%ecx) (gdb) x/b $eax 0x199020 <js_ArrayClass>: 0xc9 (gdb) x/b $ecx 0x0: Cannot access memory at address 0x0

I couldn't use the technique in bug 558633 comment #6 to get more LIR spew, it gives me a Assertion failure: rmask(rr) & FpRegs (../nanojit/Nativei386.cpp:2154)

autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 46286:839073dc9b77 user: David Anderson date: Mon Jun 28 14:49:12 2010 -0500 summary: Bug 567577 - `new Math.sin` is NaN, not an object, in interpreter only. r=Waldo.

(In reply to comment #1) > I couldn't use the technique in bug 558633 comment #6 to get more LIR spew, it > gives me a Assertion failure: rmask(rr) & FpRegs > (../nanojit/Nativei386.cpp:2154) Gary, if you use TMFLAGS=recorder instead of TMFLAGS=readlir that might work. TMFLAGS=recorder prints out the LIR in an earlier stage of compilation, and that assert occurs during assembly which is the last stage of compilation.

(In reply to comment #3) > Gary, if you use TMFLAGS=recorder instead of TMFLAGS=readlir that might work. > TMFLAGS=recorder prints out the LIR in an earlier stage of compilation, and > that assert occurs during assembly which is the last stage of compilation. Thanks for the suggestion, Nick, hope this helps the devs.

any update on this?

Hrm... looks like some kind of existing bug. It can't be right that these cases are valid for NEW, APPLY.

Comment on attachment 462650 [details] [diff] [review] fix OK, but please land it on TM (the patch will need a tweak due to recentish changes there).

Tracer has been long gone on trunk, marking verified.

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug579740.js.