Closed
Bug 659639
Opened 14 years ago
Closed 14 years ago
TI: Assertion failure: Missing rejoin, at methodjit/InvokeHelpers.cpp:1629
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, testcase)
The following testcase asserts on TI revision 4c7ebbb52876 (run with -j -m -n -a), tested on 64 bit:
test();
function iso(d) { new Date(d).toISOString() }
function check(s,millis) { iso(millis); }
function dd(year, month, day, hour, minute, second, millis) {
return Date.UTC(year, 1, day, hour, minute, second, millis);
}
function test() {
try {
check("", 20092353211)
check("", 2009)
check("", 0)
check("", dd(BUGNUMBER, 7, 23, 19, 53, 21, 1))
} catch (e) {}
}
var BUGNUMBER = "10278";
test()
|
||
Comment 1•14 years ago
|
||
Regression from rev f8159830d8b7, the problem is that when expanding an inlined frame that is making a native call, we patch the native stub but don't update the IC itself, so that the next time the stub is used we might inadvertently jump into the interpoline. (This isn't a problem for patching natives on recompilation, which will discard the IC afterwards). This could be fixed by disabling the inlined IC and making sure all instances of the native IC on the stack get fixed up (removing FRAME_EXPAND_TOP), but instead this patch reverts to the earlier behavior and doesn't generate native ICs on stub calls. Will wait and see if any compelling new cases come up to add back this complexity (the preferred solution for fixing native calls is to inline them or turn them into custom stubs).
http://hg.mozilla.org/projects/jaegermonkey/rev/8bcb569c9bf9
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 2•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug659639.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•