Closed Bug 669304 Opened 8 years ago Closed 8 years ago

TI: Assertion failure: &regs == &f->regs, at methodjit/Retcon.cpp:315

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

The following testcase asserts on TI revision f59a6cabfbd4 (run with -j -m -a -n), tested on 64 bit:


function jit(on) { foo('tracejit'); } 
function foo() {}
test();
function test() {
  try {
    new test;
  } catch(e) {}
  jit(false);
  test();
}
Botch from the last TM -> JM merge, which pulled in changes to how stack frames are constructed.  When pushing a new frame in UncachedInlineCall we need to repoint the registers to a new local to preserve the property that f.regs reflects the state when its active stub call was made, but we need to check there is space to push first.  Otherwise we will throw an exception with the original frame at the top of the stack, and if the caller has inline frames we will only update f.regs when expanding those frames.

http://hg.mozilla.org/projects/jaegermonkey/rev/c5e43682922d
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Blocks: 676763
You need to log in before you can comment on or make changes to this bug.