Closed Bug 673812 Opened 9 years ago Closed 9 years ago

TI: Assertion failure: fp->jit()->isValidCode(*addr), at methodjit/Retcon.cpp:463

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

The following testcase asserts on TI revision 9b9fd467eb5f (run with -j -m -n -a), tested on 64 bit:


gczeal(2);
try {
    DoWhile_3();
} catch (e) {}
function f() {
    test();
    yield 170;
}
function test() {
    function foopy() {
        try {
            for (var i in f());
        } catch (e) {}
    }
    foopy();
    gc();
}
test();
When kicking all JIT code into the interpreter during GC, left the stale ncode values in the JIT frames alone, since they will never be used again during execution of those frames.  They can, however, be observed by the recompiler, which can get invoked before the JIT frames' VMFrame gets popped and will get confused by the ncode values.

http://hg.mozilla.org/projects/jaegermonkey/rev/4d1506b097db
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Blocks: 676763
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug673812.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.