Closed
Bug 676764
Opened 13 years ago
Closed 13 years ago
TI: Crash [@ JSC::MacroAssemblerCodePtr::executableAddress] or "Assertion failure: Missing rejoin," with e4x
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: js-triage-needed)
Crash Data
Attachments
(1 file)
|
2.26 KB,
text/plain
|
Details |
with( <x/> ) {
(function () {
for (;;) {
t
}
})()
}
crashes js debug shell on JM changeset e1508f49adc4 with -m, -a and -n at JSC::MacroAssemblerCodePtr::executableAddress
|
Reporter | |
Comment 1•13 years ago
|
||
with( <x/> ) {
(function () {
for (b = 0; b < 18; ++b) {}
})();
}
This variant asserts at Assertion failure: Missing rejoin,Keywords: assertion
Summary: TI: Crash [@ JSC::MacroAssemblerCodePtr::executableAddress] → TI: Crash [@ JSC::MacroAssemblerCodePtr::executableAddress] or "Assertion failure: Missing rejoin," with e4x
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: js-triage-needed
|
||
Comment 2•13 years ago
|
||
Two separate issues, both triggered by a recompilation activity while binding NAME accesses. The first was due to continuing to access the PIC structure after a lookup triggered recompilation activity, the second was due to not having any way to rejoin from a BINDNAME (there is no longer a need to distinguish this from other fallthrough opcodes, as the distinction was only needed for non-decomposed property incops). http://hg.mozilla.org/projects/jaegermonkey/rev/723b6c299574
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Comment 3•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug676764.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•