Closed
Bug 756777
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:832
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,reconfirm])
Attachments
(2 files)
1.01 KB,
application/x-gzip
|
Details | |
1.37 KB,
patch
|
sstangl
:
review+
|
Details | Diff | Splinter Review |
The attached testcase asserts on ionmonkey revision 890dd17b4187 (run with --ion -n -m --ion-eager).
Comment 1•12 years ago
|
||
Works for me at revision 9602aebd7e43a27f1675ca8313b80045c383c7fb.
Reporter | ||
Comment 2•12 years ago
|
||
I'm still seeing this on the fuzzer, let's see if it still repros.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,reconfirm]
Assignee | ||
Comment 3•12 years ago
|
||
This seemed to sketchy to just be fixed, at first I thought it was bug 756235 but reproduces with that applied too. Turns out it's similar though. LDefVar wasn't marked as a call, so LSRA gave it safepoint regs, which of course weren't spilled. To make it a call we also have to make it use the call temporary regs.
Assignee | ||
Updated•12 years ago
|
Attachment #626270 -
Flags: review? → review?(sstangl)
Updated•12 years ago
|
Attachment #626270 -
Flags: review?(sstangl) → review+
Assignee | ||
Comment 4•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/9a4817a83ca6
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•