Closed Bug 646480 Opened 9 years ago Closed 9 years ago

TI+JM: Assertion failure: Call site vanished., at ../methodjit/Retcon.cpp:112

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

(Blocks 1 open bug)

Details

--
if (true)
    function f1() {}; 
function f2() {
    var y = -8;
    return y % 2;
}
f2() / 3;
--
$ ./js -a -n -m test.js
Assertion failure: Call site vanished., at ../methodjit/Retcon.cpp:112

Same assert as bug 646429, but it looks like it's another bug.
Yeah, the problem is that we emitted an IC for the first call to f2, then recompiled within that ic::Call and emitted an inline call which we couldn't rejoin at.  We can't really rejoin here, period: after ic::Call we need to test the return value, write ncode and jump to the new frame, but we don't have any value of ncode to write (fp->ncode must be in the inline path for lazy computation of prevPCs to work; there is an exception for expanded inline frames, but these should have their prevPC set directly).

This disables frame inlining during recompilation if there is any frame making a stub call at the call PC (kind of nasty; maybe the issue described above should just be fixed).

There is a second issue where during recompilation we get deeply confused by having the compilation in a call to recompile trigger reentrant recompilation.  Reentrant compilation is just plain bad news, and this fixes things so that any triggered recompilations are delayed until after the initial compilation/recompilation finishes.

http://hg.mozilla.org/projects/jaegermonkey/rev/b0cd13380c36
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Duplicate of this bug: 646498
You need to log in before you can comment on or make changes to this bug.