730115 - IonMonkey: Assertion failure: codeArray[offset], at ../jsanalyze.h:976

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on ionmonkey revision 5a04fd69aa09 (run with --ion -n -m), tested on 64 bit:


for (var power = 0; power < 20; power++) { 
  for (var count = 0; count < 1000; count++) {  }
  continue;   
  gc( start, (new Date(t)).getTimezoneOffset() );
}

Comment 1

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: fix

When we have a "continue" or "break", the pc of the catch-block was kind of random. In this case it started after a JSOP_GOTO and began executing dead code. This fix introduces a |pc| on DeferredEdge and the catch block gets the pc of the first deferred edge.

Comment 2

[Jan de Mooij [:jandem]]

Comment on attachment 600586 [details] [diff] [review]
fix

Review of attachment 600586 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/IonBuilder.cpp
@@ +1441,5 @@
>      // There must always be a valid target loop structure. If not, there's
>      // probably an off-by-something error in which pc we track.
>      CFGState &state = *found;
>  
> +    state.loop.breaks = new DeferredEdge(current, state.loop.breaks, pc);

Shouldn't we either use "target" here instead of "pc", or have createBreakCatchBlock use state.loop.exitpc? Same for continue.

Comment 3

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: v2

Thanks, that's a much better idea.

Comment 4

[David Anderson [:dvander] - inactive, e-mail if emergency]

https://bug730115.bugzilla.mozilla.org/attachment.cgi?id=601092

Comment 5

[David Anderson [:dvander] - inactive, e-mail if emergency]

err  http://hg.mozilla.org/projects/ionmonkey/rev/1b73ed18a3a8

Comment 6

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug730115.js.