Closed Bug 661859 Opened 13 years ago Closed 13 years ago

TI: Assertion failure: ic.fastGuardedNative, at methodjit/Retcon.cpp:156

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase) 

The following testcase asserts on TI revision 11714be33655 (run with -j -m -n -a), tested on 64 bit:


function TestCase(n, d, e, a) this.expect = e;
function reportCompare(expected, actual, description) {
    typeof actual
}
expect = 1;
var summary = 'Do not assert: top < ss->printer->script->depth';
var actual = 'No Crash';
var expect = 'No Crash';
test();
function test() {
    try {
        p = [1].some(function (y) test()) ? 4 : 0x0041
    } catch (ex) {}
    reportCompare(expect, actual, summary)
}
test();
TestCase();
test()
We could try to patch VMFrames in the middle of a native call multiple times, if during the native it recompiled the caller and then invalidated that recompiled code.  In normal stub or scripted calls we watch for this by inspecting the VMFrame/StackFrame's return address to see if it jumps to the interpoline, but natives need a special entry in the VMFrame's stubRejoin as native calls use a different return address (and the FASTCALL's return address will be garbage).

http://hg.mozilla.org/projects/jaegermonkey/rev/994d2ceb4278
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Fix braindead bug in the above fix, we would sometimes reset the VMFrame's stubRejoin even if we hadn't actually patched its caller frame.

http://hg.mozilla.org/projects/jaegermonkey/rev/2b6ec8bc086b
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug661859.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.