Closed Bug 641269 Opened 9 years ago Closed 9 years ago

TI: Crash [@ js::mjit::JaegerShot] or "Assertion failure: Call site vanished.,"

Categories

(Core :: JavaScript Engine, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, crash, testcase, Whiteboard: fixed-in-jaegermonkey)

Crash Data

(function() {
  const x = [][x]
})()

crashes js opt shells on JM changeset bcf148dbce2f with -m, -a, -n and -d at:

(gdb) bt
#0  0x00000000 in ?? ()
#1  0xbffff4f4 in ?? ()
#2  0x002208ad in js::mjit::JaegerShot ()
#3  0x000d05cf in js::RunScript ()
#4  0x000d3463 in js::Execute ()
#5  0x0001b0ab in JS_ExecuteScript ()
#6  0x0000a785 in Process ()
#7  0x0000c56b in Shell ()
#8  0x0000cb6c in main ()

and asserts js debug shells at Assertion failure: Call site vanished.
Add hooks for rejoining after an on stack recompilation in GETELEM/CALLELEM.

http://hg.mozilla.org/projects/jaegermonkey/rev/89a0db8a6317
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
Crash Signature: [@ js::mjit::JaegerShot]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug641269.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.