Closed Bug 654392 Opened 14 years ago Closed 14 years ago

TI: Assertion failure: (uint8*)ic.funGuard.executableAddress() + ic.joinPointOffset == returnAddress, at js/src/methodjit/MethodJIT.cpp:1041

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

The following testcase asserts on TI revision 3062ff7fef83 (run with -m -n -a), tested on 64 bit: function enterFunc (funcName) {} test(); function test() { enterFunc ( "NaN number", "'eeeefghi'.match(/e*/)", new test( "Date.prototype" )); function err() { return new Error(); } var error = err(s,s,s,s); }
WFM, fixed I think by rev c963b24694cd. The problem is that FixupArity needs to update the PC if throwing an exception due to a blown JS stack, but to do that it checks an old ncode value against the frame's JIT after the exception has been marked. Due to lazy standard class initialization, throwing an exception can cause recompilation (might be nice if this couldn't happen), so the ncode value could be stale by the time FixupArity needed to use it to figure out the pc. This problem was still there for the interpoline patch (above rev), with the added problem that now there might not be any JIT at all when control returns to FixupArity. So the patch modifies things so that if we are bumping the stack limit and might throw (i.e. not every FixupArity call), we first make regs.pc coherent.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.