Last Comment Bug 756777 - IonMonkey: Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:832
: IonMonkey: Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:832
Status: RESOLVED FIXED
[jsbugmon:update,reconfirm]
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- major (vote)
: ---
Assigned To: David Anderson [:dvander]
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
 
Reported: 2012-05-19 07:40 PDT by Christian Holler (:decoder)
Modified: 2012-05-30 12:15 PDT (History)
7 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Testcase for shell (1.01 KB, application/x-gzip)
2012-05-19 07:40 PDT, Christian Holler (:decoder)
no flags Details
fix (1.37 KB, patch)
2012-05-22 17:51 PDT, David Anderson [:dvander]
sstangl: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-05-19 07:40:03 PDT
Created attachment 625406 [details]
Testcase for shell

The attached testcase asserts on ionmonkey revision 890dd17b4187 (run with --ion -n -m --ion-eager).
Comment 1 Nicolas B. Pierron [:nbp] 2012-05-22 16:21:58 PDT
Works for me at revision 9602aebd7e43a27f1675ca8313b80045c383c7fb.
Comment 2 Christian Holler (:decoder) 2012-05-22 16:36:57 PDT
I'm still seeing this on the fuzzer, let's see if it still repros.
Comment 3 David Anderson [:dvander] 2012-05-22 17:51:26 PDT
Created attachment 626270 [details] [diff] [review]
fix

This seemed to sketchy to just be fixed, at first I thought it was bug 756235 but reproduces with that applied too. Turns out it's similar though. LDefVar wasn't marked as a call, so LSRA gave it safepoint regs, which of course weren't spilled. To make it a call we also have to make it use the call temporary regs.
Comment 4 David Anderson [:dvander] 2012-05-22 23:14:42 PDT
http://hg.mozilla.org/projects/ionmonkey/rev/9a4817a83ca6

Note You need to log in before you can comment on or make changes to this bug.