Closed Bug 728033 Opened 12 years ago Closed 12 years ago

IonMonkey: "Assertion failure: jumpOffset + SizeOfExtendedJump <= code->instructionsSize(),"

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Assigned: dvander)

References

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

Attached file stack
a = {}
o14 = [].__proto__
function g(o) {
  o.f = o14
}
for (let i = 0; i < 50; i++) {
  g(a)
}

asserts js debug shell on IonMonkey changeset 05f26aaf851c with --ion and -n at Assertion failure: jumpOffset + SizeOfExtendedJump <= code->instructionsSize(),

Not very sure if attached stack is correct.
Attachment #598018 - Attachment description: screencast → stack
Attached patch fixSplinter Review
The bug is that, we embed the location of the extended jump table into the relocation table. But if we never emit any relocations, we won't have access to the jump table later. This changes writeRelocations so we'll emit the extended jump table offset if we see a patchable jump.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #598425 - Flags: review?(sstangl)
Comment on attachment 598425 [details] [diff] [review]
fix

Review of attachment 598425 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/x64/Assembler-x64.cpp
@@ +54,5 @@
>          // actual extended jump table offset yet, so write a 0 which we'll
>          // patch later.
>          jumpRelocations_.writeFixedUint32(0);
>      }
> +    if (reloc == Relocation::IONCODE) {

hax. But OK.
Attachment #598425 - Flags: review?(sstangl) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/0e427c752e48
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug728033.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.