Closed Bug 659456 Opened 13 years ago Closed 13 years ago

TI: Assertion failure: !inline_, at methodjit/MethodJIT.cpp:1297

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase) 

The following testcase asserts on TI revision 29f08848d96c (run with -j -m -n -a), tested on 64 bit:


function foo() { return "tracejit,methodjit"; };
function baz(on) {
    foo('bar');
}
eval("\
test();\
function test() {\
  baz(true);\
  test();\
}\
");
Oversight, need to handle computation of the parent pc/inlined in FixupArity when that parent is in an inlined frame.  Inlined frames can't have an argc mismatch, but they can certainly call functions with a mismatch.  Think this is a regression from rev f8159830d8b7, earlier we would always make a slow call here.

http://hg.mozilla.org/projects/jaegermonkey/rev/d5538f680ab4
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug659456.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.