Closed Bug 647532 Opened 9 years ago Closed 9 years ago

TI: Crash [@ js::mjit::EnterMethodJIT] or "Assertion failure: Call site vanished."

Categories

(Core :: JavaScript Engine, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, crash, testcase)

Crash Data

Function("\
    __defineSetter__(\"x\",Object.keys)\
    (z=x instanceof[].some)\
")()

crashes js opt shell on JM changeset c340841f0465 with -m, -a and -n at a weird memory location with js::mjit::EnterMethodJIT on the stack and asserts js debug shell at Assertion failure: Call site vanished.
jsop_instanceof generated an inline stub call when an operand is a known non-object, skipping the rejoin paths from the GETPROP it issues later.  This changes the path so that the jsop_getprop is always emitted.

http://hg.mozilla.org/projects/jaegermonkey/rev/215b6027c77d
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::mjit::EnterMethodJIT]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug647532.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.