Closed Bug 646006 Opened 13 years ago Closed 13 years ago

TI: Assertion failure: stubsGenerated < MAX_PIC_STUBS, at ./methodjit/PolyIC.cpp:2103

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Test case for shell (run with -n -a -m)
1.08 KB, application/javascript
Details 
The attached testcase asserts on TI tip when run with -n -m -a (tested on 64 bit). The testcase switched asserts and also crashed several times, it's likely to be some kind of memory corruption.
Yes, this is corruption.  The checks we previously did to see if a recompilation occurred in the middle of an IC call (invalidating the IC and forcing it to terminate) are insufficient with scripted call inlining, as if we expand any inlined frames then the JITScript we get back afterwards might be for a different script (and we think no recompilation occurred and proceed to trash memory).

This removes the recompilations counter from JITScript, and changes the ICs to bail out if any recompilation or frame expansion occurred on any script/frame in the compartment (which are rare events anyways).

http://hg.mozilla.org/projects/jaegermonkey/rev/453c2dcce09e
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: