Closed
Bug 756240
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: unexpected frame type, at ion/IonFrames.cpp:584
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
1.39 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on ionmonkey revision 14735b4dbccc (run with --ion -n -m --ion-eager): function f() { var x = 10; var g = function(x, Int8Array, arr, f) { for (var i = 0; i < 10; ++i) { gc(); } } for (var i = 0; i < 10; ++i) { g(100 * i + x); } } f();
Assignee | ||
Comment 1•12 years ago
|
||
This looks pretty straightforward, just a bogus assert - though I'd like to understand why we're seeing a BailedRectifier frame here first.
Assignee: general → dvander
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•12 years ago
|
||
Looks normal.
Attachment #625025 -
Flags: review?(nicolas.b.pierron)
Comment 3•12 years ago
|
||
Comment on attachment 625025 [details] [diff] [review] fix Review of attachment 625025 [details] [diff] [review]: ----------------------------------------------------------------- The rectifier frame is not removed by a bailout because we still have live code to remove it. … | prev = Rectifier | prev = JSFrame <bailout> … | prev = Bailed_Rectifier <exit> | ThunkToInterpreter I don't think we need to mark arguments of the bailed rectifier frames since they are supposed to be captured by the bailout. In fact, only the return address and the frame descriptor need to be kept alive and none are markable. The callee token does not need to be marked since it is now part of the StackFrame. ::: js/src/ion/IonFrames.cpp @@ +573,1 @@ > MarkIonCodeRoot(trc, activation->compartment()->ionCompartment()->getArgumentsRectifierAddr(), "Arguments Rectifier"); nit: You don't need to mark Bailed_Rectifier frames.
Attachment #625025 -
Flags: review?(nicolas.b.pierron) → review+
Assignee | ||
Comment 4•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/1fe4c286323b
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 5•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Updated•12 years ago
|
Group: core-security
Reporter | ||
Comment 6•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug756240.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•