Closed Bug 683227 Opened 8 years ago Closed 8 years ago

TI: Assertion failure: newShape != initialShape, at methodjit/PolyIC.cpp:384

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-jaegermonkey)

Attachments

(2 files)

Attached file Testcase for shell
The attached testcase asserts on TI revision 6c8e0affe03e (run with -j -m -n -a), tested on 64 bit.
Attachment #556928 - Attachment mime type: text/plain → application/x-tar
Attached patch patchSplinter Review
If a GC is triggered during analysis or compilation, we do not clear analysis information or destroy JITScripts.  GC things pointed to by the JITScripts are pinned, but with TI enabled the jitcode can bake in shape numbers when constructing objects inline and these numbers will be invalidated if the GC is regenerating shapes.  The fix just releases all jitcode on every GC; there is no need to keep the jitcode around even if we are compiling, as the compiler does not update the JSScript until it is finished (we do need to abandon compilation if a GC was triggered by it, which this patch does).
Attachment #558071 - Flags: review?(dvander)
Attachment #558071 - Flags: review?(dvander) → review+
http://hg.mozilla.org/mozilla-central/rev/de64e5ce70bc
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.